Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

The U.S. Department of the Interior Needs To Better Protect Data Stored in the Cloud From the Risk of Unauthorized Access

Submitting OIG: 
Department of the Interior OIG
Report Description: 
We found weaknesses in DOI’s cyber risk management and governance could cause mission disruptions, compromised data, and misuse of public funds.
Short / Alternative Report Title: 
The U.S. Department of the Interior Needs To Better Protect Data Stored in the Cloud
Date Issued: 
Wednesday, February 21, 2024
Agency Reviewed / Investigated: 
Department of the Interior
Submitting OIG-Specific Report Number: 
2022-ITA-025
Component, if applicable: 
Departmentwide
Location(s): 
Agency-Wide
Type of Report: 
Inspection / Evaluation
Questioned Costs: 
$0
Funds for Better Use: 
$0
Number of Recommendations: 
10
Report updated under NDAA 5274: 
No
View Document: 
AttachmentSize
PDF icon Final-Evaluation-ReportSecurity-Data-Stored-CloudPublic.pdf4.89 MB

Related Open Recommendations

Recommendation Number Recommendation Status Significant Recommendation Additional Details
2022-ITA-025-01 Open Yes
We recommend that the Office of the Chief Information Officer extend the capability of its data loss prevention solution to include rule-based analysis to detect and prevent the exfiltration of sensitive data from the subject system in accordance with industry best practices.
2022-ITA-025-02 Open Yes
We recommend that the Office of the Chief Information Officer regularly test the Department’s data loss prevention capability to ensure that sensitive data in the subject system is protected against data exfiltration attempts.
2022-ITA-025-03 Open No
We recommend that the Office of the Chief Information Officer evaluate data communication protocols in use by the subject system that are vulnerable to exploitation and implement controls to mitigate identified vulnerabilities.
2022-ITA-025-04 Open Yes
We recommend that the Office of the Chief Information Officer ensure the implementation and annual testing of contractually required data loss prevention controls on all cloud systems containing sensitive data.
2022-ITA-025-05 Open Yes
We recommend that the Office of the Chief Information Officer establish controls to identify, detect, and prevent unauthorized cloud services when they are acquired and used outside of the Office of the Chief Information Officer’s process.
2022-ITA-025-06 Open No
We recommend that the Office of the Chief Information Officer issue formal guidance to all Department employees and contractors detailing the Office of the Chief Information Officer’s approved processes, procedures, and requirements for acquiring authorized cloud-computing services.
2022-ITA-025-07 Open No
We recommend that the Office of the Chief Information Officer establish a process to regularly review purchase card transactions to identify and ensure that all cloud-computing systems used by Department employees and contractors on behalf of the Department are included in the Department’s authoritative information system inventory.
2022-ITA-025-08 Open Yes
We recommend that the Office of the Chief Information Officer establish controls to ensure that only FedRAMP-approved cloud-computing services are authorized to access the Department’s network and that non‑FedRAMP‑approved cloud-computing services in use are discontinued and blocked from access to Department network resources in accordance with the Department’s acceptable use policy.
2022-ITA-025-09 Open No
We recommend that the Office of the Chief Information Officer modify its Foundation Cloud Hosting Services contract to incorporate penalties for not meeting service-level agreements.
2022-ITA-025-10 Open No
We recommend that the Office of the Chief Information Officer ensure all existing non-Foundation Cloud Hosting Services contracts are migrated to an approved enterprisewide cloud-hosting procurement or modified to incorporate OCIO requirements and best practices for procuring cloud services, as recommended by the Chief Acquisition Officer and Chief Information Officer Councils and OCIO policy.
Displaying 10 of 10 Recommendations