IT2023043 - Recommendation 8

Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.