first published week of:   03/06/2023

Pentagon Didn't Check Risks Before Authorizing Cloud Services, Watchdog Finds

by Edward Graham

An audit conducted by the Defense Department’s inspector general found agency components “may be unaware of known vulnerabilities and cybersecurity risks associated with operating their systems or storing their data.”

Department of Defense officials who authorized the use of commercial cloud services across components of the agency did not review all required documentation needed to determine potential security concerns, leaving DOD’s armed forces unaware of vulnerabilities and cybersecurity risks across their systems, according to an audit publicly released by the agency’s Office of Inspector General on Feb. 16.

The partially redacted report was conducted “to determine whether DOD components complied with federal and DOD security requirements when using commercial cloud services.” The IG “nonstatistically” selected five cloud systems—which used three different commercial cloud service offerings, or CSOs—for review from the Air Force, Army, Marine Corps and Navy, all of which, the audit said, were “Federal Risk and Authorization Management Program (FedRAMP) and DOD authorized and at the appropriate DOD impact level for the five systems reviewed.”

 Read full story at FCW…

---

 Go to the current issue of The Harlow Report-GIS