DOE Inspector General Finds Lapses in Cloud Computing Services Authorization, Monitoring

The Department of Energy’s inspector general said the agency is not authorizing and monitoring its cloud computing services properly.

According to an IG report, some cloud services used by the DOE, its national laboratories and the National Nuclear Security Administration were onboarded without proper checks for determinations, unmanaged accounts and continuous monitoring. The IG noted that such lapses could expose the department’s systems to external risks, such as data exfiltration and unauthorized access.

The oversight body reviewed 17 cloud systems across five locations. The review started in January 2021 and ended in December 2022, FCW reported Tuesday.

According to the report, some systems were not included in the DOE’s official cloud inventory while some systems that were self-approved by contractors were deemed too risky for future use. The IG also identified over 620 unmanaged accounts on a file-sharing device that contained 464 gigabytes of data linked to cybersecurity, intelligence and senior management users.

The IG offered six recommendations to improve cloud authorization standards and security controls. The Energy Department agreed to five of them.