Cloud Computing: USAID Needs to Improve Controls to Better Protect Agency Data

Audit Report
Report Number
A-000-24-004-P

Why We Did This Audit

  • USAID has increased its reliance on cloud computing services in recent years with the migration of many of its information technology operations to the cloud. According to Agency officials, USAID spent $47.6 million on cloud computing services in fiscal year 2022.
  • Cloud computing provides Federal agencies with “ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” At the same time, placing data in the cloud involves substantial risk; therefore, Federal agencies must take additional steps to protect the confidentiality, integrity, and availability of their cloud-based information. Cybersecurity compromises could result in higher costs, litigation, loss of public trust, and reputational harm.
  • Given these challenges, we initiated this audit to assess the extent to which USAID (1) followed selected requirements and guidelines for procuring and monitoring selected cloud computing services and (2) implemented and monitored selected security controls over selected cloud computing systems in accordance with Federal requirements. 

What We Found

  • USAID did not consistently follow three of five requirements for procuring and monitoring the cloud computing services we reviewed. Specifically, the Office of the Chief Information Officer (OCIO) did not consistently conduct cost-benefit and alternative analyses, approve acquisition plans, or implement and monitor service level agreement requirements. As required, OCIO officials regularly performed annual evaluations to assess whether contractor performance met the terms of the three contracts we selected for review. They also included the high-risk, cloud-related clauses in the selected contracts, as required, to help protect USAID data and information. 
  • USAID also did not consistently implement and document monitoring of selected security controls. The National Institute of Standards and Technology’s security standards for Federal information systems include controls to prevent unauthorized user access and to update plan of action and milestones (POA&M) with remediation actions taken and system security plans (SSPs) with security assessment report results. We found that USAID system owners for two systems we reviewed did not consistently approve access or authorize roles and privileges as part of account management, update POA&Ms, or document their monitoring of the remediation of weaknesses as part of security assessment, authorization, and monitoring. In addition, Agency officials did not update the SSPs for these systems so they would be aware of weaknesses in security controls.
  • Cloud services are an integral part of USAID’s operations. To mitigate associated risks, the Agency has developed and implemented controls to protect the confidentiality, integrity, and availability of information stored in the cloud. However, by adding controls and consistently implementing existing controls, USAID can more effectively procure, monitor, and use cloud computing services. Strengthening these controls will put the Agency in a better position to use taxpayer dollars more efficiently while protecting system data.

What We Recommend

  • USAID agreed with all 13 of our recommendations to help improve the Agency’s efforts to procure and secure its cloud services and systems. 

Recommendations

Recommendation
2

We recommend that USAID's Chief Information Officer develop and implement a written procedure to document the Chief Information Officer's review and approval of all cloud service acquisition plans.

Questioned Cost
0
Funds for Better Use
0
Recommendation
13

We recommend that USAID's IT Operations Division Chief complete plan of action and milestones, as required. This may include documenting the "planned remediation actions" in the reports.

Questioned Cost
0
Funds for Better Use
0
Recommendation
12

We recommend that USAID's IT Operations Division Chief update the systems' continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
11

We recommend that USAID's Deputy Chief Human Capital Officer complete plan of action and milestone, as required. This may include documenting the "planned remediation actions" in the reports.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
10

We recommend that USAID's Deputy Chief Human Capital Officer update the system's continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
9

We recommend that USAID's Chief Information Officer work with the Deputy Chief Human Capital Officer and IT Operations Division Chief to update the system security plan, as required. This may include updating the system security plan with the results of a security assessment or create a plan of actions and milestones.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
8

We recommend that USAID's Chief Information Officer revise Agency procedures to address how system owners should document their monitoring of cloud service providers' remediation activities.

Questioned Cost
0
Funds for Better Use
0
Recommendation
7

We recommend that USAID's Chief Information Officer develop additional procedures to hold system accountable for noncompliance with plan of action and milestones requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

Questioned Cost
0
Funds for Better Use
0
Recommendation
6

We recommend that USAID's Chief Information Officer develop additional procedures to hold system owners accountable for noncompliance with continuous monitoring reporting requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

Questioned Cost
0
Funds for Better Use
0
Recommendation
5

We recommend that USAID's Chief Information Officer revise the standard reporting template for continuous monitoring to clarify whether it applies to cloud systems.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

We recommend that USAID's Chief Information Officer develop and implement a written process for defining and reviewing service level agreements to determine whether they meet Agency needs.

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

We recommend that USAID's Chief Information Officer develop and implement a written policy for monitoring and documenting cloud services providers' compliance with service level agreements.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
1

We recommend that USAID's Chief Information Officer develop and implement written guidance for performing and documenting cost-benefit and alternative analyses for cloud acquisitions before procuring cloud services.

Questioned Cost
0
Funds for Better Use
0