GAO Reports
Here's a look at Government Accountability Office reports
GAO Reports
Featured Stories
Innovation in Action: Bringing New Ideas to Life
WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report:
* * *
Innovation in Action: Bringing New Ideas to Life
*
Fast Facts
Every medication started as an idea. Our new Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments.
The companies can develop new drugs using patented discoveries made by federal researchers. This gives companies a head start and helps federal research make a bigger impact.
But the government can do a better job of ... Show Full Article WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Innovation in Action: Bringing New Ideas to Life * Fast Facts Every medication started as an idea. Our new Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments. The companies can develop new drugs using patented discoveries made by federal researchers. This gives companies a head start and helps federal research make a bigger impact. But the government can do a better job ofmeasuring, tracking, and documenting these benefits.
For example, we found 34 drugs that were developed using National Institutes of Health research. But a lack of publicly available information made finding this difficult.
Illustration from our Scroll-Driven Narrative
Illustration of a pharmacist handing medication to a person
Highlights
This Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments. It is a companion to GAO's report Biomedical Research: NIH Should Publicly Report More Information about the Licensing of Its Intellectual Property, GAO-21-52. This product highlights key themes from GAO's prior work-particularly the lack of publicly available information on licensing of intellectual property developed through National Institutes of Health (NIH) research. It also highlights recommendations from GAO's prior work and NIH efforts to implement them.
For more information, contact Candice N. Wright at wrightc@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-109055
* * *
Innovation in Action: Bringing New Ideas to Life
*
Fast Facts
Every medication started as an idea. Our new Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments.
The companies can develop new drugs using patented discoveries made by federal researchers. This gives companies a head start and helps federal research make a bigger impact.
But the government can do a better job of ... Show Full Article WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Innovation in Action: Bringing New Ideas to Life * Fast Facts Every medication started as an idea. Our new Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments. The companies can develop new drugs using patented discoveries made by federal researchers. This gives companies a head start and helps federal research make a bigger impact. But the government can do a better job ofmeasuring, tracking, and documenting these benefits.
For example, we found 34 drugs that were developed using National Institutes of Health research. But a lack of publicly available information made finding this difficult.
Illustration from our Scroll-Driven Narrative
Illustration of a pharmacist handing medication to a person
Highlights
This Scroll-Driven Narrative tells the story of how pharmaceutical companies and the federal government work together to turn ideas into innovative medical treatments. It is a companion to GAO's report Biomedical Research: NIH Should Publicly Report More Information about the Licensing of Its Intellectual Property, GAO-21-52. This product highlights key themes from GAO's prior work-particularly the lack of publicly available information on licensing of intellectual property developed through National Institutes of Health (NIH) research. It also highlights recommendations from GAO's prior work and NIH efforts to implement them.
For more information, contact Candice N. Wright at wrightc@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-109055
Technology Release and Foreign Disclosure: DOD Is Taking Action to Help Improve Its Processes
WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report:
* * *
Technology Release and Foreign Disclosure: DOD Is Taking Action to Help Improve Its Processes
*
Fast Facts
DOD and other agencies use specific processes to determine whether to sell defense items-such as tanks and guns-and disclose sensitive information to U.S. allies.
In 2024, Congress told DOD to assess how well those processes were working. By year's end, DOD reported on challenges and proposed reforms to improve efficiency. For example, decisions to release specialized technology ... Show Full Article WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Technology Release and Foreign Disclosure: DOD Is Taking Action to Help Improve Its Processes * Fast Facts DOD and other agencies use specific processes to determine whether to sell defense items-such as tanks and guns-and disclose sensitive information to U.S. allies. In 2024, Congress told DOD to assess how well those processes were working. By year's end, DOD reported on challenges and proposed reforms to improve efficiency. For example, decisions to release specialized technologyrequire multiple stakeholders to weigh in. DOD is exploring the creation of a centralized policy database to coordinate efforts.
DOD officials told us it had implemented 26 of 33 planned reforms by May 2026. And, DOD is set to complete all 33 by November.
Highlights
What GAO Found
To strengthen the United States' and its foreign partners' security, the U.S. government sells or provides defense articles and services to more than 100 foreign governments and international organizations that request them. The Department of Defense (DOD), with other agencies, uses technology release and foreign disclosure policies and procedures-the TRFD processes-to determine whether to share sensitive military technology and intelligence with foreign partners. Generally, the TRFD processes start when a foreign partner submits a request to DOD. Designated officials manage the request to obtain approval from the relevant military departments and interagency stakeholders.
Example of Items Procured Through Technology Release and Foreign Disclosure Processes
DOD officials identified operational challenges affecting the execution of the TRFD processes and described steps DOD is taking to mitigate them. According to officials, weighing the national security implications of releasing sensitive technology is inherently time consuming and specialized. Moreover, decision-making is distributed among multiple stakeholders, with different authorities, which may complicate coordination among these processes. To facilitate coordination, DOD is taking some mitigating steps and considering establishing a knowledge repository system to track TRFD policies and decisions.
DOD has taken steps to enact reforms of the TRFD processes. In November 2025, according to officials, DOD began implementing TRFD reforms that, according to officials, it intended to complete within a year. Officials also said that DOD was tracking progress on the reforms and, as of May 2026, had completed 26 of 33 reform action items. While DOD will likely undertake additional TRFD reforms in the future, it is on track to complete the current efforts by November 2026 because of support from senior DOD leadership and effective prioritization of the reforms, according to officials.
Why GAO Did This Study
In recent years, Congress and others have raised questions about the transparency and accountability of the TRFD processes. The National Defense Authorization Act for Fiscal Year 2024 required DOD to submit a report to Congress assessing various aspects of the TRFD processes. In December 2024, DOD submitted the report. In addition, in April 2025, Executive Order 14268 directed DOD to implement TRFD reforms as part of an effort to facilitate foreign military sales.
The joint explanatory statement accompanying the 2025 NDAA included a provision for GAO to conduct an independent assessment of DOD's TRFD reform initiative. This report describes (1) DOD's TRFD processes, (2) challenges related to the TRFD processes and steps DOD is taking to mitigate them, and (3) DOD's progress in implementing organizational reforms proposed in its December 2024 report and directed in Executive Order 14268.
GAO reviewed documents from DOD, including DOD's Security Assistance Management Manual. In addition, GAO met with DOD officials and attended a course for foreign disclosure officers.
For more information, contact James Reynolds at reynoldsj@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-108435
* * *
Technology Release and Foreign Disclosure: DOD Is Taking Action to Help Improve Its Processes
*
Fast Facts
DOD and other agencies use specific processes to determine whether to sell defense items-such as tanks and guns-and disclose sensitive information to U.S. allies.
In 2024, Congress told DOD to assess how well those processes were working. By year's end, DOD reported on challenges and proposed reforms to improve efficiency. For example, decisions to release specialized technology ... Show Full Article WASHINGTON, June 26 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Technology Release and Foreign Disclosure: DOD Is Taking Action to Help Improve Its Processes * Fast Facts DOD and other agencies use specific processes to determine whether to sell defense items-such as tanks and guns-and disclose sensitive information to U.S. allies. In 2024, Congress told DOD to assess how well those processes were working. By year's end, DOD reported on challenges and proposed reforms to improve efficiency. For example, decisions to release specialized technologyrequire multiple stakeholders to weigh in. DOD is exploring the creation of a centralized policy database to coordinate efforts.
DOD officials told us it had implemented 26 of 33 planned reforms by May 2026. And, DOD is set to complete all 33 by November.
Highlights
What GAO Found
To strengthen the United States' and its foreign partners' security, the U.S. government sells or provides defense articles and services to more than 100 foreign governments and international organizations that request them. The Department of Defense (DOD), with other agencies, uses technology release and foreign disclosure policies and procedures-the TRFD processes-to determine whether to share sensitive military technology and intelligence with foreign partners. Generally, the TRFD processes start when a foreign partner submits a request to DOD. Designated officials manage the request to obtain approval from the relevant military departments and interagency stakeholders.
Example of Items Procured Through Technology Release and Foreign Disclosure Processes
DOD officials identified operational challenges affecting the execution of the TRFD processes and described steps DOD is taking to mitigate them. According to officials, weighing the national security implications of releasing sensitive technology is inherently time consuming and specialized. Moreover, decision-making is distributed among multiple stakeholders, with different authorities, which may complicate coordination among these processes. To facilitate coordination, DOD is taking some mitigating steps and considering establishing a knowledge repository system to track TRFD policies and decisions.
DOD has taken steps to enact reforms of the TRFD processes. In November 2025, according to officials, DOD began implementing TRFD reforms that, according to officials, it intended to complete within a year. Officials also said that DOD was tracking progress on the reforms and, as of May 2026, had completed 26 of 33 reform action items. While DOD will likely undertake additional TRFD reforms in the future, it is on track to complete the current efforts by November 2026 because of support from senior DOD leadership and effective prioritization of the reforms, according to officials.
Why GAO Did This Study
In recent years, Congress and others have raised questions about the transparency and accountability of the TRFD processes. The National Defense Authorization Act for Fiscal Year 2024 required DOD to submit a report to Congress assessing various aspects of the TRFD processes. In December 2024, DOD submitted the report. In addition, in April 2025, Executive Order 14268 directed DOD to implement TRFD reforms as part of an effort to facilitate foreign military sales.
The joint explanatory statement accompanying the 2025 NDAA included a provision for GAO to conduct an independent assessment of DOD's TRFD reform initiative. This report describes (1) DOD's TRFD processes, (2) challenges related to the TRFD processes and steps DOD is taking to mitigate them, and (3) DOD's progress in implementing organizational reforms proposed in its December 2024 report and directed in Executive Order 14268.
GAO reviewed documents from DOD, including DOD's Security Assistance Management Manual. In addition, GAO met with DOD officials and attended a course for foreign disclosure officers.
For more information, contact James Reynolds at reynoldsj@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-108435
National Security Snapshot: DOD's Military Health System Reforms and Challenges
WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report:
* * *
National Security Snapshot: DOD's Military Health System Reforms and Challenges
*
Highlights
The Big Picture
The Department of Defense (DOD) military health system provides medical care to 9.4 million beneficiaries, including service members and their families around the globe. This care is delivered through over 700 medical facilities with more than 100,000 military, civilian, and contractor employees, and a vast network of private sector health care providers. DOD estimates that it ... Show Full Article WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * National Security Snapshot: DOD's Military Health System Reforms and Challenges * Highlights The Big Picture The Department of Defense (DOD) military health system provides medical care to 9.4 million beneficiaries, including service members and their families around the globe. This care is delivered through over 700 medical facilities with more than 100,000 military, civilian, and contractor employees, and a vast network of private sector health care providers. DOD estimates that itwill spend over $72.5 billion for the military health system in fiscal year 2027.
For more than a decade, DOD has taken actions to reform its health system in response to legislative requirements and to more effectively manage the system. For example, in response to December 2016 legislation, the Defense Health Agency (DHA)-a combat support agency-took over the administration and management of DOD's medical facilities from the Army, Navy, and Air Force. In making this change, DOD sought to create a more efficient oversight structure for the medical facilities that would help lower costs and improve beneficiary care, in part by shifting some patients to private sector care.
Military Health System Organizational Reforms Since 2016
However, as GAO reported in July 2025, the ability to supply health care across the military health system remains constrained by insufficient numbers of medical personnel and allocation of fiscal resources to other readiness priorities, according to DHA officials. DOD continued to examine the need for further reform and adopted a new strategy to increase the capacity of DOD's medical facilities to provide both beneficiary care and training opportunities for military medical personnel. According to DOD, such efforts are intended to stabilize the military health system by reattracting beneficiaries to its facilities from private sector care.
Key Challenges Identified by GAO
GAO's work has identified various organizational reform and personnel management challenges that affect the success of the military health system.
Organizational reform challenges. DOD has not identified the necessary resources or conducted sufficient oversight to support its reform efforts.
Personnel management challenges. DOD does not have key information needed to manage and oversee its military medical personnel nor sufficient metrics to assess their clinical readiness.
Implications for National Security
The military health system supports the health of service members so that they are ready to deploy. In addition, the system exists to ensure that military medical personnel are prepared to provide medical care in support of missions that include operational, wartime, and mass casualty events. This is referred to as clinical readiness.
GAO has reported on a long-standing concern that DOD's medical facilities may not be able to provide sufficient opportunities to sustain the skills of some military medical personnel, such as those who provide trauma and critical care services. DOD's efforts to address legislative reforms over time have been, in part, intended to address this concern by increasing the clinical readiness of military medical personnel.
Addressing the persistent challenges identified in this product, such as by implementing GAO's related recommendations, would enhance DOD's ability to ensure the clinical readiness of its medical personnel in operational and wartime environments. This would further help DOD achieve its goal of stabilizing and improving the health system. DOD generally concurred with the recommendations listed in this product and has stated plans to address them over time.
GAO Recommendations
Selected GAO Open Recommendations Related to DOD's Military Health System from Fiscal Year 2019 Through June 2026
Resources needed to support organizational reform efforts
The Department of Defense (DOD) has not fully determined the resources necessary for implementing its organizational reform.
* DOD should validate headquarters-level personnel requirements and identify the least costly mix of military, civilian, and contractor personnel needed to achieve mission objectives. (GAO-19-53)
* DOD should issue guidance detailing processes to determine and validate the number of personnel needed to manage and support its medical facilities. (GAO-25-107432)
* DOD should review Defense Health Agency business functions to determine which ones it will consolidate to manage and support its medical facilities. (GAO-25-107432)
Oversight of organizational reform efforts
DOD has not comprehensively monitored or involved Congress in the development of its organizational reform efforts.
* DOD should establish a systematic process to comprehensively monitor actions taken to address statutory requirements for military health system reforms, such as by consolidating responsible leaders, actions taken, and time frames into a single data source. (GAO-23-105710)
* DOD should continuously involve key stakeholders including Congress in developing and implementing its network structure to manage its medical facilities and ensure congressional views are reflected. (GAO-25-107432)
Management and oversight of medical personnel
DOD does not have key information needed to better monitor medical facility staffing and address staffing gaps.
* DOD should develop a strategic total workforce plan which includes, among other things, strategies, tools, and metrics to monitor and evaluate progress toward reducing personnel gaps. (GAO-19-102)
* DOD should issue guidance to assess the potential effect of medical personnel reductions on medical facilities. (GAO-23-106094)
* DOD should take actions, such as issuing guidance and addressing data quality issues, to improve the use of timecard data to monitor military medical personnel work time at medical facilities. (GAO-25-106988)
Efforts to monitor clinical readiness of medical personnel
DOD has not developed sufficient metrics to assess and monitor clinical readiness of medical personnel.
* DOD should develop metrics to assess medical facility contributions toward enlisted medical personnel wartime medical skills sustainment. (GAO-21-337)
* DOD should issue guidance for collecting complete clinical activity data from military-civilian partnerships for certain personnel. (GAO-26-107677)
* The military departments (Army, Navy, and Air Force) should each establish processes to fully assess the contributions of civilian training partnerships to the clinical readiness of military medical personnel. (GAO-26-107677)
For more information, contact Rashmi Agarwal at AgarwalR@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-109066
* * *
National Security Snapshot: DOD's Military Health System Reforms and Challenges
*
Highlights
The Big Picture
The Department of Defense (DOD) military health system provides medical care to 9.4 million beneficiaries, including service members and their families around the globe. This care is delivered through over 700 medical facilities with more than 100,000 military, civilian, and contractor employees, and a vast network of private sector health care providers. DOD estimates that it ... Show Full Article WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * National Security Snapshot: DOD's Military Health System Reforms and Challenges * Highlights The Big Picture The Department of Defense (DOD) military health system provides medical care to 9.4 million beneficiaries, including service members and their families around the globe. This care is delivered through over 700 medical facilities with more than 100,000 military, civilian, and contractor employees, and a vast network of private sector health care providers. DOD estimates that itwill spend over $72.5 billion for the military health system in fiscal year 2027.
For more than a decade, DOD has taken actions to reform its health system in response to legislative requirements and to more effectively manage the system. For example, in response to December 2016 legislation, the Defense Health Agency (DHA)-a combat support agency-took over the administration and management of DOD's medical facilities from the Army, Navy, and Air Force. In making this change, DOD sought to create a more efficient oversight structure for the medical facilities that would help lower costs and improve beneficiary care, in part by shifting some patients to private sector care.
Military Health System Organizational Reforms Since 2016
However, as GAO reported in July 2025, the ability to supply health care across the military health system remains constrained by insufficient numbers of medical personnel and allocation of fiscal resources to other readiness priorities, according to DHA officials. DOD continued to examine the need for further reform and adopted a new strategy to increase the capacity of DOD's medical facilities to provide both beneficiary care and training opportunities for military medical personnel. According to DOD, such efforts are intended to stabilize the military health system by reattracting beneficiaries to its facilities from private sector care.
Key Challenges Identified by GAO
GAO's work has identified various organizational reform and personnel management challenges that affect the success of the military health system.
Organizational reform challenges. DOD has not identified the necessary resources or conducted sufficient oversight to support its reform efforts.
Personnel management challenges. DOD does not have key information needed to manage and oversee its military medical personnel nor sufficient metrics to assess their clinical readiness.
Implications for National Security
The military health system supports the health of service members so that they are ready to deploy. In addition, the system exists to ensure that military medical personnel are prepared to provide medical care in support of missions that include operational, wartime, and mass casualty events. This is referred to as clinical readiness.
GAO has reported on a long-standing concern that DOD's medical facilities may not be able to provide sufficient opportunities to sustain the skills of some military medical personnel, such as those who provide trauma and critical care services. DOD's efforts to address legislative reforms over time have been, in part, intended to address this concern by increasing the clinical readiness of military medical personnel.
Addressing the persistent challenges identified in this product, such as by implementing GAO's related recommendations, would enhance DOD's ability to ensure the clinical readiness of its medical personnel in operational and wartime environments. This would further help DOD achieve its goal of stabilizing and improving the health system. DOD generally concurred with the recommendations listed in this product and has stated plans to address them over time.
GAO Recommendations
Selected GAO Open Recommendations Related to DOD's Military Health System from Fiscal Year 2019 Through June 2026
Resources needed to support organizational reform efforts
The Department of Defense (DOD) has not fully determined the resources necessary for implementing its organizational reform.
* DOD should validate headquarters-level personnel requirements and identify the least costly mix of military, civilian, and contractor personnel needed to achieve mission objectives. (GAO-19-53)
* DOD should issue guidance detailing processes to determine and validate the number of personnel needed to manage and support its medical facilities. (GAO-25-107432)
* DOD should review Defense Health Agency business functions to determine which ones it will consolidate to manage and support its medical facilities. (GAO-25-107432)
Oversight of organizational reform efforts
DOD has not comprehensively monitored or involved Congress in the development of its organizational reform efforts.
* DOD should establish a systematic process to comprehensively monitor actions taken to address statutory requirements for military health system reforms, such as by consolidating responsible leaders, actions taken, and time frames into a single data source. (GAO-23-105710)
* DOD should continuously involve key stakeholders including Congress in developing and implementing its network structure to manage its medical facilities and ensure congressional views are reflected. (GAO-25-107432)
Management and oversight of medical personnel
DOD does not have key information needed to better monitor medical facility staffing and address staffing gaps.
* DOD should develop a strategic total workforce plan which includes, among other things, strategies, tools, and metrics to monitor and evaluate progress toward reducing personnel gaps. (GAO-19-102)
* DOD should issue guidance to assess the potential effect of medical personnel reductions on medical facilities. (GAO-23-106094)
* DOD should take actions, such as issuing guidance and addressing data quality issues, to improve the use of timecard data to monitor military medical personnel work time at medical facilities. (GAO-25-106988)
Efforts to monitor clinical readiness of medical personnel
DOD has not developed sufficient metrics to assess and monitor clinical readiness of medical personnel.
* DOD should develop metrics to assess medical facility contributions toward enlisted medical personnel wartime medical skills sustainment. (GAO-21-337)
* DOD should issue guidance for collecting complete clinical activity data from military-civilian partnerships for certain personnel. (GAO-26-107677)
* The military departments (Army, Navy, and Air Force) should each establish processes to fully assess the contributions of civilian training partnerships to the clinical readiness of military medical personnel. (GAO-26-107677)
For more information, contact Rashmi Agarwal at AgarwalR@gao.gov.
***
Original text here: https://www.gao.gov/products/gao-26-109066
Cybersecurity: Selected Agencies Need to Better Protect Cloud Data
WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report:
* * *
Cybersecurity: Selected Agencies Need to Better Protect Cloud Data
*
Fast Facts
Cloud computing services allow access to resources like networks, storage, and software. It can cost federal agencies less to use these services than to create their own. But using cloud computing services can pose cybersecurity risks.
We looked at how some agencies protect data in the cloud. Agencies we reviewed varied in implementing key cloud computing security practices. For example, some agencies didn't ... Show Full Article WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Cybersecurity: Selected Agencies Need to Better Protect Cloud Data * Fast Facts Cloud computing services allow access to resources like networks, storage, and software. It can cost federal agencies less to use these services than to create their own. But using cloud computing services can pose cybersecurity risks. We looked at how some agencies protect data in the cloud. Agencies we reviewed varied in implementing key cloud computing security practices. For example, some agencies didn'tfully continuously monitor security controls. Also, some agencies didn't document how to respond to or recover from cybersecurity incidents.
Our recommendations address these issues and more to ensure cloud services are safe.
A computerized image of different connecting dots that mimic internal processing routes, with a 3D image of a cloud on top.
Highlights
What GAO Found
Four selected agencies-the Departments of State, Transportation, Veterans Affairs (VA), and the Small Business Administration (SBA)-varied in their efforts to implement and ensure contractor compliance with three key cloud security practices. Specifically, one agency had fully implemented all three practices for two of its systems and one agency had fully implemented the practices for one of its systems. The agencies partially implemented the practices for the remaining five systems (see figure).
Agencies' Implementation of Key Cloud Security Practices
a Due to sensitivity concerns, GAO is not disclosing the names of the selected systems in this report. Systems are identified by their cloud service model.
For example, agencies fully performed continuous monitoring for three of the eight selected systems. Although most of the agencies developed and implemented a plan for continuous monitoring, they did not always review continuous monitoring deliverables from the provider. Agencies fully implemented the practice regarding service level agreements for five out of eight systems. For the remaining three systems, agencies' agreements did not consistently define performance metrics, including how they would be measured and the enforcement mechanisms.
Fully implementing the key practices will support the agencies' efforts to ensure the confidentiality, integrity, and availability of agency information in their cloud systems. For example, without a robust continuous monitoring program, the agencies may have diminished ability to identify and mitigate control deficiencies and emerging threats. Additionally, the agencies may not promptly detect unauthorized access attempts or anomalous activity, leaving critical systems and data exposed to compromise.
Why GAO Did This Study
Federal agencies are faced with the need to accelerate their adoption of cloud services while ensuring the systems that support their missions are secure. Consequently, working with cloud service providers to effectively implement information security controls is a vital part of reducing risks to agency systems.
The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically evaluate federal agencies' information security policies and practices. This report assesses the extent to which selected agencies are ensuring contractor compliance with key cloud computing security practices.
To do so, GAO selected four agencies (State, Transportation, VA, SBA) based on their number of cloud authorizations, excluding agencies profiled in recent GAO reports. GAO reviewed two cloud systems at each agency, each of which represented a range of services. GAO administered a standard set of questions, compared documentation on the implementation of key cloud-related practices for each system identified in federal policies and guidance, and interviewed agency officials. GAO rated each agency as having fully, partially, or not implemented each practice for the selected systems.
Recommendations
GAO is making 12 recommendations to State, VA, and the SBA to fully implement key cloud security practices. VA agreed with the recommendations, and State neither agreed nor disagreed. SBA did not provide comments on the report. State and VA also described actions taken or planned to address the recommendations.
Recommendations for Executive Action
Agency Affected Recommendation Status
Department of State The Secretary of State should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing continuous monitoring deliverables from the cloud service provider. (Recommendation 1)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for coordinating incident response and recovery with providers. (Recommendation 2)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include collecting and reviewing audit logs. (Recommendation 3)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include collecting and reviewing audit logs. (Recommendation 4)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for measuring and tracking incident response time. (Recommendation 5)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for testing incident response and recovery procedures. (Recommendation 6)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 7)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include implementing a continuous monitoring plan, reviewing continuous monitoring deliverables from the cloud service provider, documenting the use of vulnerability management tools, and collecting and reviewing audit logs. (Recommendation 8)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include documenting the use of vulnerability management tools. (Recommendation 9)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; ensuring providers report incidents promptly; measuring and tracking incident response time; and testing incident response and recovery procedures. (Recommendation 10)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; and measuring and tracking incident response time. (Recommendation 11)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 12)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
See All 12 Recommendations
***
Original text here: https://www.gao.gov/products/gao-26-108443
* * *
Cybersecurity: Selected Agencies Need to Better Protect Cloud Data
*
Fast Facts
Cloud computing services allow access to resources like networks, storage, and software. It can cost federal agencies less to use these services than to create their own. But using cloud computing services can pose cybersecurity risks.
We looked at how some agencies protect data in the cloud. Agencies we reviewed varied in implementing key cloud computing security practices. For example, some agencies didn't ... Show Full Article WASHINGTON, June 25 (TNSLrpt) -- The Government Accountability Office issued the following report: * * * Cybersecurity: Selected Agencies Need to Better Protect Cloud Data * Fast Facts Cloud computing services allow access to resources like networks, storage, and software. It can cost federal agencies less to use these services than to create their own. But using cloud computing services can pose cybersecurity risks. We looked at how some agencies protect data in the cloud. Agencies we reviewed varied in implementing key cloud computing security practices. For example, some agencies didn'tfully continuously monitor security controls. Also, some agencies didn't document how to respond to or recover from cybersecurity incidents.
Our recommendations address these issues and more to ensure cloud services are safe.
A computerized image of different connecting dots that mimic internal processing routes, with a 3D image of a cloud on top.
Highlights
What GAO Found
Four selected agencies-the Departments of State, Transportation, Veterans Affairs (VA), and the Small Business Administration (SBA)-varied in their efforts to implement and ensure contractor compliance with three key cloud security practices. Specifically, one agency had fully implemented all three practices for two of its systems and one agency had fully implemented the practices for one of its systems. The agencies partially implemented the practices for the remaining five systems (see figure).
Agencies' Implementation of Key Cloud Security Practices
a Due to sensitivity concerns, GAO is not disclosing the names of the selected systems in this report. Systems are identified by their cloud service model.
For example, agencies fully performed continuous monitoring for three of the eight selected systems. Although most of the agencies developed and implemented a plan for continuous monitoring, they did not always review continuous monitoring deliverables from the provider. Agencies fully implemented the practice regarding service level agreements for five out of eight systems. For the remaining three systems, agencies' agreements did not consistently define performance metrics, including how they would be measured and the enforcement mechanisms.
Fully implementing the key practices will support the agencies' efforts to ensure the confidentiality, integrity, and availability of agency information in their cloud systems. For example, without a robust continuous monitoring program, the agencies may have diminished ability to identify and mitigate control deficiencies and emerging threats. Additionally, the agencies may not promptly detect unauthorized access attempts or anomalous activity, leaving critical systems and data exposed to compromise.
Why GAO Did This Study
Federal agencies are faced with the need to accelerate their adoption of cloud services while ensuring the systems that support their missions are secure. Consequently, working with cloud service providers to effectively implement information security controls is a vital part of reducing risks to agency systems.
The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically evaluate federal agencies' information security policies and practices. This report assesses the extent to which selected agencies are ensuring contractor compliance with key cloud computing security practices.
To do so, GAO selected four agencies (State, Transportation, VA, SBA) based on their number of cloud authorizations, excluding agencies profiled in recent GAO reports. GAO reviewed two cloud systems at each agency, each of which represented a range of services. GAO administered a standard set of questions, compared documentation on the implementation of key cloud-related practices for each system identified in federal policies and guidance, and interviewed agency officials. GAO rated each agency as having fully, partially, or not implemented each practice for the selected systems.
Recommendations
GAO is making 12 recommendations to State, VA, and the SBA to fully implement key cloud security practices. VA agreed with the recommendations, and State neither agreed nor disagreed. SBA did not provide comments on the report. State and VA also described actions taken or planned to address the recommendations.
Recommendations for Executive Action
Agency Affected Recommendation Status
Department of State The Secretary of State should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing continuous monitoring deliverables from the cloud service provider. (Recommendation 1)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for coordinating incident response and recovery with providers. (Recommendation 2)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include collecting and reviewing audit logs. (Recommendation 3)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include collecting and reviewing audit logs. (Recommendation 4)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for measuring and tracking incident response time. (Recommendation 5)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for testing incident response and recovery procedures. (Recommendation 6)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 7)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include implementing a continuous monitoring plan, reviewing continuous monitoring deliverables from the cloud service provider, documenting the use of vulnerability management tools, and collecting and reviewing audit logs. (Recommendation 8)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include documenting the use of vulnerability management tools. (Recommendation 9)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; ensuring providers report incidents promptly; measuring and tracking incident response time; and testing incident response and recovery procedures. (Recommendation 10)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; and measuring and tracking incident response time. (Recommendation 11)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 12)
Open Actions to satisfy the intent of the recommendation have not been taken or are being planned.
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
See All 12 Recommendations
***
Original text here: https://www.gao.gov/products/gao-26-108443