Cloud Computing: USAID Needs to Improve Controls to Better Protect Agency Data

Recommendation
2

We recommend that USAID's Chief Information Officer develop and implement a written procedure to document the Chief Information Officer's review and approval of all cloud service acquisition plans.

Questioned Cost
0
Funds for Better Use
0
Recommendation
13

We recommend that USAID's IT Operations Division Chief complete plan of action and milestones, as required. This may include documenting the "planned remediation actions" in the reports.

Questioned Cost
0
Funds for Better Use
0
Recommendation
12

We recommend that USAID's IT Operations Division Chief update the systems' continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
11

We recommend that USAID's Deputy Chief Human Capital Officer complete plan of action and milestone, as required. This may include documenting the "planned remediation actions" in the reports.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
10

We recommend that USAID's Deputy Chief Human Capital Officer update the system's continuous monitoring report to identify weaknesses with access, roles, and privileges, as required.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
9

We recommend that USAID's Chief Information Officer work with the Deputy Chief Human Capital Officer and IT Operations Division Chief to update the system security plan, as required. This may include updating the system security plan with the results of a security assessment or create a plan of actions and milestones.

Questioned Cost
0
Funds for Better Use
0
Recommendation
8

We recommend that USAID's Chief Information Officer revise Agency procedures to address how system owners should document their monitoring of cloud service providers' remediation activities.

Questioned Cost
0
Funds for Better Use
0
Recommendation
7

We recommend that USAID's Chief Information Officer develop additional procedures to hold system accountable for noncompliance with plan of action and milestones requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

Questioned Cost
0
Funds for Better Use
0
Recommendation
6

We recommend that USAID's Chief Information Officer develop additional procedures to hold system owners accountable for noncompliance with continuous monitoring reporting requirements. This may include actions other than denying a system authority to operate, such as a negative performance evaluation or disciplinary action.

Questioned Cost
0
Funds for Better Use
0
Recommendation
5

We recommend that USAID's Chief Information Officer revise the standard reporting template for continuous monitoring to clarify whether it applies to cloud systems.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

We recommend that USAID's Chief Information Officer develop and implement a written process for defining and reviewing service level agreements to determine whether they meet Agency needs.

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

We recommend that USAID's Chief Information Officer develop and implement a written policy for monitoring and documenting cloud services providers' compliance with service level agreements.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
1

We recommend that USAID's Chief Information Officer develop and implement written guidance for performing and documenting cost-benefit and alternative analyses for cloud acquisitions before procuring cloud services.

Questioned Cost
0
Funds for Better Use
0