Board Report: 2022-IT-B-006 March 23, 2022
The Board is increasingly using cloud services to perform its mission and to meet its information technology needs. We evaluated the effectiveness of its life cycle processes for ensuring that cybersecurity risks are adequately managed for cloud systems in use.
We found that the Board's security life cycle processes are not consistently implemented for select cloud systems across the agency. Specifically, an internal Board inventory of cloud systems was incomplete, as was the inventory it provided to the governmentwide Federal Risk and Authorization Management Program. In addition, certain of the Board's life cycle activities—assessing security controls, authorizing information systems, and monitoring security controls—were not consistently performed.
This report contains recommendations designed to strengthen the Board's cloud system inventory and cybersecurity life cycle processes.
