Agencies don’t always implement their continuous monitoring plans because that would require a new philosophy toward cloud security, according to Dave Hinchman, director of IT and cyber at the Government Accountability Office.
Hinchman says cloud computing was an afterthought four or five years ago, but it’s starting to be seen as a way to easily meet federal cyber requirements and push updates to thousands of desktops using Software as a Service.
GAO released a cloud security report in May that found four selected departments — Agriculture, Homeland Security, Labor and Treasury — had only partially implemented continuous monitoring across all of their systems, one of many “cautionary” findings, Hinchman says.
“What we found is not great, but there's a lot of work still to be done,” Hinchman says. “Some areas, such as documented procedures and defined security responsibilities, were in pretty good shape.”
Click here to learn more about optimizing your cloud connection.
Agencies Can’t Make Informed Decisions Without Cloud Visibility
GAO discovered the four audited agencies fully performed continuous monitoring for only three of their 15 systems and only partially implemented the practice for the remaining 12. All had plans for continuously monitoring their systems but failed to fully document their progress because none thought it necessary.
Complete documentation ensures ongoing awareness of security and privacy posture changes in systems, and until continuous monitoring is fully implemented, department risk management decisions would suffer, GAO’s report reads.
Still, agencies have made continuous monitoring improvements internally; they just need to do a better job of contractually requiring cloud service providers to perform such activities, Hinchman says.
Automation of continuous monitoring should also be discussed during an agency’s planning process.
“I think the continuous monitoring is going to be a challenge,” Hinchman says. “But we're looking forward to working with the agencies over the next couple of years to see their progress and get those recommendations implemented.”
Agencies Need a Standardized Approach to Continuous Monitoring
Agencies could also be taking greater advantage of the Federal Risk and Authorization Management Program, a government program for adopting secure cloud services, Hinchman says.
FedRAMP provides a standardized approach to security assessments, authorization and continuous monitoring of cloud products and services.
While FedRAMP use is improving — the program now boasts more than 1,000 authorizations — agencies with more complex systems (and therefore fewer CSP options) continue to seek exemptions for custom solutions.
FedRAMP costs also vary widely from agency to agency — ranging from about $300,000 to more than $1 million per authorization — and aren’t tracked well because there’s no such requirement. The cost uncertainty is another barrier to entry, Hinchman says.
A law was passed codifying FedRAMP in 2022, but now it falls to the Office of Management and Budget and General Services Administration to implement a structure, which is why the former issued a draft memo on modernizing the program. The goal is to drive more agencies to FedRAMP.
GAO hopes to release a report before the year’s end analyzing barriers to agencies’ FedRAMP adoption, barring a government shutdown that would delay the review process, Hinchman says.
Agency responses to the cloud security report were “generally supportive,” he adds.
“No agency is ever really happy when we make a recommendation,” Hinchman says. “But the agreement we received shows that agencies are willing to take this seriously.”