March 30, 2023

Security over Cloud Computing Technologies at Select Department of Energy Locations

The Department of Energy has significantly increased its adoption of cloud-based systems in recent years.  The transition to cloud-based services shifts some responsibility and risk to the cloud service provider.  However, the Department remains obligated to ensure the confidentiality, integrity, and availability of its data by identifying and accepting the risk of utilizing cloud service providers and authorizing the operation of such services.

We initiated this audit to determine whether the Department effectively implemented security over its cloud-based technologies and services.

Although the Department had implemented security measures over many of its cloud-based technologies and services, additional efforts are necessary.  Specifically, we found weaknesses with the Department’s processes to authorize, monitor, assess, control, and inventory cloud-based services used by its programs and sites.  In particular:

  • Two locations utilized cloud-based systems without appropriate approval.  Additionally, three locations had not conducted complete system authorizations for cloud systems, to include identifying, implementing, and assessing security controls for which the Department was responsible.
  • Three locations had not conducted required continuous security monitoring of cloud services that were authorized through the Federal Risk and Authorization Management Program.
  • Significant amounts of information were stored in unapproved cloud storage accounts.
  • The Department did not maintain an accurate inventory of cloud-based systems used across the enterprise, and programs and sites generally used more systems than were reported to the Office of the Chief Information Officer.

Without improvements, the Department may not be adequately protected from the risks posed by the use of systems outside its physical network boundaries, such as unauthorized access and data exfiltration.

To address the weaknesses identified during our review, we made six recommendations in this report designed to ensure that all cloud-based systems contain appropriate security controls, that security controls are adequately monitored, and that cloud-based systems are appropriately approved for operation.