USAID had a risk of an information security breach due to the use of an external cloud system. We found that the Agency had some internal controls in place to address the risk, as recommended by the National Institute of Standards and Technology, Digital Services Advisory Group, and Federal Chief Information Officers Council. For example, USAID required staff to take training in protecting sensitive information and to sign a user agreement. It also required staff using personal devices to log into their external cloud system accounts using Agency-issued RSA tokens. Yet, the Agency faced an increased risk of a breach because it had not implemented other key internal controls needed to protect information accessed in the external cloud system by staff on their personal devices. For example, USAID did not implement controls to automatically terminate user sessions after 60 minutes of inactivity, as required by Agency policy. It also did not always identify or cancel the external cloud system user accounts for contractors when the accounts were no longer required. We identified four reasons that USAID did not implement key controls and made recommendations to improve USAID’s control environment to protect information available in the external cloud system when accessed through staff's personal devices.
USAID Needs To Improve Policy and Processes To Better Protect Information Accessed on Personal Devices
USAID's Chief Information Officer Conduct a risk-assessment of the current session-termination setting of seven days versus the eight-hour best practice for the [Agency's] external cloud system, and take the necessary action based on the results of the risk-assessment.
USAID's Chief Information Officer Develop and implement written policies and procedures for Agency-created external cloud-system administrators to clearly define and specify the privileges that should be assigned to each role.
USAID's Chief Information Officer Conduct a risk-assessment for Agency staff using personal devices to access the external cloud system and determine what actions Agency officials need to take to mitigate any identified risks. This includes updating relevant policies to reflect the acceptable use of personal devices consistently as deemed appropriate by management and providing training to staff on those new policies.
USAID's Chief Information Officer Develop and implement policies and procedures to disable network accounts promptly for contractors when the contracted work ends.