The Social Security Administration (SSA) had multiple weaknesses in its cloud environment and policies as of September 2018, an August 29 summary by SSA’s inspector general said.
The summary of the inspector general’s report noted that SSA’s cloud security program “needed improvement” in implementation of policies. At the time of the audit in September 2018, SSA maintained an on-site private cloud and 22 systems in external cloud environments.
While the report includes little detail on the issues discovered by the inspector general, the summary does include information on the 10 recommendations to SSA. The report recommended that SSA:
- Evaluate its procedures to ensure its cloud system inventory is complete and accurate;
- Ensure timely and proper assessment and authorization of cloud systems;
- Complete implementation of its continuous monitoring program for cloud environments;
- Implement controls to manage the risks of root accounts and restrict global administrator accounts; and
- Enhance guidance and oversight for system security plans and include training for authorization managers
SSA agreed with all recommendations.