The Department of Defense’s Office of Inspector General has recommended that chief information officers of DOD components require authorizing officials to reassess the clearance to operate for five commercial cloud services to ensure compliance with the DOD Cloud Computing Security Requirements Guide.
The OIG made the recommendation after it found that AOs did not evaluate all the required documentation to measure the risks of commercial cloud offerings to information systems of the Army, Air Force, Navy and the Marine Corps when reevaluating the ATOs, according to a Feb. 15 report.
“Unless AOs review all required documentation to consider the risks to their respective systems, DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs,” the report reads.
The inspector general’s office called on the DOD CIO to stress the importance of achieving compliance with the DOD Cloud Computing SRG.
The report also recommends that the director of the Defense Information Systems Agency coordinate with the Federal Risk and Authorization Management Program’s Joint Authorization Board to require commercial cloud service providers to address vulnerabilities or document risk acceptance.