Cloud Computing Security Documentation in the Cyber Security Assessment Management Solution

We conducted this inspection to determine the completeness and adequacy of required information technology (IT) security documentation for 16 IT systems that the Bureau of Reclamation (USBR), Bureau of Safety and Environmental Enforcement (BSEE), and U.S. Geological Survey (USGS) moved to a public Cloud. A public Cloud is a shared, Internet-accessible computing environment operated by a Cloud service provider such as Amazon or Microsoft. Cloud based IT systems have the same Federal and U.S. Department of the Interior (Department) security requirements as systems managed by bureau personnel and operated by a departmental data center.     

 

BSEE did meet security requirements, but USBR and USGS did not meet the Department’s policy for maintaining required IT security documentation. Specifically, USBR had not completed any security documentation for its three operational Cloud systems. As such, these systems were operating without authorization, placing bureau data in the Cloud potentially at risk of unauthorized access, disclosure, modification, or destruction.

 

To this end, we made seven recommendations to OCIO and affected bureaus to strengthen oversight of the Department’s IT security program and close identified security gaps.