IT2023043 - Recommendation 14

Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment-Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users' personally identifiable information and other sensitive information.