Skip to content

DHS Cloud Security Best Practices: GAO Report Released

GAO finds all Agencies and Departments have room to improve implementing all of their cloud security practices.

Cloud computing provides agencies with potential opportunities to obtain IT services more efficiently; however, if not effectively implemented, it also poses cybersecurity risks. To facilitate the adoption and use of cloud services, the Office of Management and Budget and other federal agencies have issued policies and guidance on key
practices that agencies are to implement to ensure the security of agency systems that leverage cloud services (i.e., cloud systems).

GAO evaluated the extent to which selected agencies have effectively implemented key cloud security practices. To do so, GAO selected 15 cloud systems across four
agencies, including DHS. GAO selected these agencies based on several factors, including the number of reported IT investments leveraging cloud computing. GAO compared relevant agency documentation against six key practices identified in federal policies and guidance. GAO rated each agency as having fully, partially, or not
implemented each practice for the selected systems.

GAO made recommendations to DHS to fully implement key cloud security practices and after careful review, DHS concurred with the recommendations and will be implementing them going forward.

GAO’s review found that while DHS did develop a plan for monitoring the security controls that are the Department’s responsibility for its software as a service system (SaaS), they did not fully implement the plan. Specifically the department did not annually perform assessments of the security controls as required by the monitoring plan. The most recent assessment performed was completed in June 2020 and officials stated that they will complete the next in 2023 as part of a strategic decision to make improvements across the department to improve cloud security practices.