USAID Needs To Improve Policy and Processes To Better Protect Information Accessed on Personal Devices

USAID had a risk of an information security breach due to the use of an external cloud system. We found that the Agency had some internal controls in place to address the risk, as recommended by the National Institute of Standards and Technology, Digital Services Advisory Group, and Federal Chief Information Officers Council. For example, USAID required staff to take training in protecting sensitive information and to sign a user agreement. It also required staff using personal devices to log into their external cloud system accounts using Agency-issued RSA tokens. Yet, the Agency faced an increased risk of a breach because it had not implemented other key internal controls needed to protect information accessed in the external cloud system by staff on their personal devices. For example, USAID did not implement controls to automatically terminate user sessions after 60 minutes of inactivity, as required by Agency policy. It also did not always identify or cancel the external cloud system user accounts for contractors when the accounts were no longer required. We identified four reasons that USAID did not implement key controls and made recommendations to improve USAID’s control environment to protect information available in the external cloud system when accessed through staff's personal devices.