Audit of the DoD’s Compliance with Security Requirements When Using Commercial Cloud Services

Date Issued

Wednesday, February 15, 2023

Submitting OIG

Department of Defense OIG

Other Participating OIGs

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Components

United States Navy (USN)

United States Marine Corps (USMC)

United States Army (USA)

United States Air Force (USAF)

OSD Chief Information Officer (CIO)

Report Number

DODIG-2023-052

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
D-2023-0052-D000CP-0001-0003	No	$0	$0
(U) Rec. 3: The DoD OIG recommended that the Chief Information Officer for the Air Force require that the authorizing officials for the Tailored Multitenancy Integrated Service and Cloud One systems reevaluate the authorizations to operate, including a review of all required documentation to consider the risks associated with using the authorized commercial cloud service offering, such as the documentation supporting the Federal Risk and Authorization Management Program and DoD authorization processed and continuous monitoring activities, as required by the DoD Cloud Computing Security Requirements Guide.