Cloud Computing: USAID Needs to Improve Controls to Better Protect Agency Data

Why We Did This Audit

• USAID has increased its reliance on cloud computing services in recent years with the migration of many of its information technology operations to the cloud. According to Agency officials, USAID spent $47.6 million on cloud computing services in fiscal year 2022.
• Cloud computing provides Federal agencies with “ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” At the same time, placing data in the cloud involves substantial risk; therefore, Federal agencies must take additional steps to protect the confidentiality, integrity, and availability of their cloud-based information. Cybersecurity compromises could result in higher costs, litigation, loss of public trust, and reputational harm.
• Given these challenges, we initiated this audit to assess the extent to which USAID (1) followed selected requirements and guidelines for procuring and monitoring selected cloud computing services and (2) implemented and monitored selected security controls over selected cloud computing systems in accordance with Federal requirements. 

What We Found

• USAID did not consistently follow three of five requirements for procuring and monitoring the cloud computing services we reviewed. Specifically, the Office of the Chief Information Officer (OCIO) did not consistently conduct cost-benefit and alternative analyses, approve acquisition plans, or implement and monitor service level agreement requirements. As required, OCIO officials regularly performed annual evaluations to assess whether contractor performance met the terms of the three contracts we selected for review. They also included the high-risk, cloud-related clauses in the selected contracts, as required, to help protect USAID data and information. 
• USAID also did not consistently implement and document monitoring of selected security controls. The National Institute of Standards and Technology’s security standards for Federal information systems include controls to prevent unauthorized user access and to update plan of action and milestones (POA&M) with remediation actions taken and system security plans (SSPs) with security assessment report results. We found that USAID system owners for two systems we reviewed did not consistently approve access or authorize roles and privileges as part of account management, update POA&Ms, or document their monitoring of the remediation of weaknesses as part of security assessment, authorization, and monitoring. In addition, Agency officials did not update the SSPs for these systems so they would be aware of weaknesses in security controls.
• Cloud services are an integral part of USAID’s operations. To mitigate associated risks, the Agency has developed and implemented controls to protect the confidentiality, integrity, and availability of information stored in the cloud. However, by adding controls and consistently implementing existing controls, USAID can more effectively procure, monitor, and use cloud computing services. Strengthening these controls will put the Agency in a better position to use taxpayer dollars more efficiently while protecting system data.

What We Recommend

• USAID agreed with all 13 of our recommendations to help improve the Agency’s efforts to procure and secure its cloud services and systems.