News Stay informed about the latest enterprise technology news and product updates.

FISMA report highlights federal cloud security deficiencies

A new report on government cybersecurity efforts delivered some troubling findings for the federal government's cloud operations.

A newly released government report shows a lack of basic security controls in many departments and agencies, highlighting...

the precarious state of federal cloud security.

The 2014 Federal Information Security Management Act (FISMA) report, conducted by the Office of Management and Budget (OMB), examined 11 "cybersecurity areas" within federal agencies, such as risk management, incident response and reporting, and identity and access management. According to OMB, which surveyed 24 federal agencies via each agency's inspector general, there were significant deficiencies around cybersecurity and in particular cloud security.

The FISMA report stated that "incident response and reporting programs were largely compliant" with federal guidelines, but 14 out of the 24 agencies lacked at least one critical component of those programs. The report found at least three departments were "not capable of tracking and managing risks in a virtual/cloud environment."

In addition, OMB found a lack of programs for managing contractor systems, with at least three departments lacking a complete inventory of contractor systems and services residing in the cloud. The report also stated that six departments had cloud-based systems -- some of of which resided in the public cloud -- that "were not compliant with FISMA requirements, OMB policy and applicable NIST guidelines."

The FISMA report also identified issues in other cybersecurity areas that could potentially jeopardize cloud security within federal agencies. For example, in the area of identity and access management, the report found that seven departments had no processes in place to "ensure that accounts were terminated or deactivated once access was no longer required." And in the area of remote access management, three departments lacked any program or policy "to detect and remove unauthorized (rogue) connections."

'You would expect the government to be more locked down because of the kind of data they have, but they're not.'
Kamal Shahvice president of products and marketing at Skyhigh Networks

The FISMA report wasn't all bad news for federal cloud security. The OMB outlined improvements around FedRAMP, the federal government's risk management program for cloud services. Specifically, six cloud service providers achieved Agency Authorizations under FedRAMP, while another four earned Provisional Authorizations. In addition, agencies reported a total of 81 cloud systems as being FedRAMP-compliant.

Still, the OMB stated that significant improvements need to be made in federal government cybersecurity to keep up with an increase in "sophisticated threat activity and vulnerabilities," as well as the changing technology landscape. "We have seen notable progress by federal agencies, but there is work to be done," the report stated. "Federal agencies reported nearly 70,000 information security incidents in FY 2014, up 15% from FY 2013."

Some of the FISMA report findings echo results of other recent government-focused studies on cloud security. Skyhigh Networks Inc., a cloud security vendor based in Campbell, Calif., earlier this year released its first quarterly study devoted to government cloud adoption, titled Cloud Adoption & Risk In Government Report Q4 2014. The vendor surveyed 200,000 users in government agencies in the U.S. and Canada, and found that the average government organization used 721 cloud services in the fourth quarter; of those, only an average of 61 services were officially approved by the organizations.

"You would expect the government to be more locked down because of the kind of data they have, but they're not," said Kamal Shah, vice president of products and marketing at Skyhigh Networks. "They're 'cloud unaware.' They don't know what's being used by their employees, and they think they are blocking more cloud services than they really are."

For example, Skyhigh's report showed that 80% of agencies intended to block access to Dropbox, but only 16% were actually restricting network access to the cloud service.

Shad said government agencies are subjected to shadow cloud usage by employees just like enterprises are, although the numbers tend to be higher in the private sector. But, he added, government agencies need to do a better job identifying what cloud services they are actually using, governing access to cloud accounts, and monitoring usage of cloud services to detect potential threats.

"The Obama Administration has a 'cloud-first' policy, and they have embraced the cloud," Shah said. "It feels like knowledge and understanding of cloud security is growing rapidly in the government, which is good, but there's still more work to be done."

Next Steps

Learn more about the Cloud Security Alliance's new frameworks for government security

Dig Deeper on Cloud Network Security Trends and Tactics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization monitor usage of or restrict access to cloud services?
It's a tricky situation. If IT completely blocks cloud services, then there is no learning curve (during company hours - people will do it on personal time). If they allow it, then the expectations of the IT experience will rise exponentially, and IT might be ready to handle it. It's going to happen organically. Instead of going to finance to seek the records of people that expensed credit-card bills (to stop it), seem them to gain from their experience. Make it a positive activity.
Yes, my organization began blocking any type of shared storage site about a year ago. The purpose is to prevent any leakage of sensitive data. Market factors drove the tightened security - they wanted the company to look more mature in its IT practices so that it would be more attractive for purchase. I guess the federal government doesn't have the same incentive!
Yes, we monitor usage and restrict access. To help overcome the problem that Brian speaks about inhibiting the learning curve we have systems from which someone can request access to try something new or learn a new skill. While these are managed and monitored, access is easy to obtain and there are very few restrictions. It really serves as more of an oversight mechanism to make sure that we are not spending resources on systems that are not needed at the current time. IT has worked well so far, and it does not appear to inhibit learning at all.
We do not block cloud services, but at the same time, we don't make rules that would encourage the use of side cloud services in the first place (maybe I'm lucky or we're just not large enough an entity that it is treated as an issue). Having said that, we do have many of our services on private cloud platforms (our source code repository, document tree ,etc.) and therefore don't need to rely on outside resources for file storage and access.