The Council of the Inspectors General on Integrity and Efficiency (CIGIE) is urging federal agencies to tighten cloud security practices following a review of oversight reports that identified recurring security weaknesses and improvement opportunities across government cloud deployments.
CIGIE published the report on March 12, outlining six major best practice themes and 19 associated practices drawn from 35 oversight reports issued between 2014 and 2024 by 19 Offices of Inspector General (OIGs) and the Government Accountability Office.
The report – conducted on behalf of the Federal Audit Executive Council’s Cross-Cutting Issues Subcommittee – aims to help agencies improve cloud security by highlighting lessons from past oversight work. The subcommittee formed a working group in October 2023 with representatives from six OIGs to analyze the earlier reports and extract common best practices.
“Agencies should learn from the results of these reports and incorporate the best practices identified by the working group,” the report says.
Among the six themes, data protection and monitoring appeared most often in the underlying oversight work, showing up in 15 reports. Assessment and authorization issues appeared in 13 reports, while oversight of cloud service providers and identity and access management each appeared in 12 reports, configuration management in 11 reports, and continuous monitoring in 10 reports.
The report’s recommendations are broad but operational. For cloud service providers (CSPs), the working group said agencies should maintain inventories of cloud service contracts, include relevant cloud security clauses in those contracts, and monitor CSP performance with enforcement mechanisms in contracts.
For data security, it said agencies should keep accurate data inventories, use approved cloud services for storing and sharing data, and protect personally identifiable information and controlled unclassified information from unauthorized disclosure.
On identity and access management, the report calls for centralized identity and access management systems, multi-factor authentication, periodic audits of user privileges, timely deactivation of user accounts, and separation of production and non-production cloud environments.
It also recommends baseline configurations, complete asset inventories, formal continuous monitoring processes, maintenance of security artifacts, and prompt action on continuous monitoring findings.
The final set of recommendations centers on assessment and authorization. The report says agencies should perform security accreditations and authorizations, develop and update business impact assessments and system security plans, and fully implement security controls while performing regular assessments and remediating flaws.
Notably, the report stops short of saying those weaknesses still exist across agencies today.
“The team did not assess whether reported conditions remain, but highlighted the common findings to help all agencies improve or reinforce cloud security,” the report says.