U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

Improvements Are Needed in the Cloud Security Assessment, Approval, and Monitoring Processes

Report Information

Date Issued
Report Number
2024-200-047
Report Type
Audit
Joint Report
Yes
Participating OIG
Treasury Inspector General for Tax Administration
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

The Chief Information Officer should ensure that separation of duty controls reflect NIST guidance and require that all cloud systems have a unique System Owner and AO or AO Designated Representative.

The Chief Information Officer should ensure that the cloud system immediately completes its pilot program and that an ATO memorandum is approved for the system to remain in production.

The Chief Information Officer should ensure that summary reports are timely created for all cloud systems as required with sufficient oversight by the AOs.

The Chief Information Officer should ensure that the Cloud Continuous Monitoring SOP reflect that all summary reports are required to have a unique POA&M identification number when identifying weaknesses.

The Chief Information Officer should ensure that management approvals are consistent and documented per the requirements for cloud systems.