The U.S. Department of the Interior Needs To Better Protect Data Stored in the Cloud From the Risk of Unauthorized Access

View Report

Date Issued

Wednesday, February 21, 2024

Submitting OIG

Department of the Interior OIG

Other Participating OIGs

Department of the Interior OIG

Agencies Reviewed/Investigated

Department of the Interior

Components

Departmentwide

Report Number

2022-ITA-025

Report Description

We found weaknesses in DOI’s cyber risk management and governance could cause mission disruptions, compromised data, and misuse of public funds.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2022-ITA-025-01	Yes	$0	$0
We recommend that the Office of the Chief Information Officer extend the capability of its data loss prevention solution to include rule-based analysis to detect and prevent the exfiltration of sensitive data from the subject system in accordance with industry best practices.
2022-ITA-025-02	Yes	$0	$0
We recommend that the Office of the Chief Information Officer regularly test the Department's data loss prevention capability to ensure that sensitive data in the subject system is protected against data exfiltration attempts.
2022-ITA-025-03	No	$0	$0
We recommend that the Office of the Chief Information Officer evaluate data communication protocols in use by the subject system that are vulnerable to exploitation and implement controls to mitigate identified vulnerabilities.
2022-ITA-025-04	Yes	$0	$0
We recommend that the Office of the Chief Information Officer ensure the implementation and annual testing of contractually required data loss prevention controls on all cloud systems containing sensitive data.
2022-ITA-025-08	Yes	$0	$0
We recommend that the Office of the Chief Information Officer establish controls to ensure that only FedRAMP-approved cloud-computing services are authorized to access the Department's network and that non?FedRAMP?approved cloud-computing services in use are discontinued and blocked from access to Department network resources in accordance with the Department's acceptable use policy.
2022-ITA-025-10	No	$0	$0
We recommend that the Office of the Chief Information Officer ensure all existing non-Foundation Cloud Hosting Services contracts are migrated to an approved enterprisewide cloud-hosting procurement or modified to incorporate OCIO requirements and best practices for procuring cloud services, as recommended by the Chief Acquisition Officer and Chief Information Officer Councils and OCIO policy.