Pentagon CIOs slapped over cloud security by auditors days before 3TB of emails exposed

Pentagon CIOs slapped over cloud security by auditors days before 3TB of emails exposed

Days before the exposure this week of over three terabytes of military emails owing to misconfigured Azure services, the US Department of Defense (DoD)’s Inspector General had warned Pentagon CIOs that their teams were not properly reviewing documentation designed to ensure military cloud security – and running systems with unmitigated vulnerabilities that put DoD “at an increased risk of successful cyber attacks, system and data breaches, data loss and manipulation, or unauthorized disclosures of mission‑essential or sensitive information.”

(The US Special Operations Command email server was first detected spilling data on February 8, likely due to human error that left it remotely accessible without a password. This went undetected for around two weeks before it was spotted and disclosed by security researcher Anurag Sen, as first reported by TechCrunch. Whilst none of the data viewable was classified, it included significant amounts of background information on security clearance holders. Microsoft and the Pentagon are investigating how this happened and, no doubt, why tools were not in place to automatically detect and alert stakeholders that the server had been left exposed.)

Inspector General warning on Department of Defence cloud security

department of defense cloud security
A screengrab from the OIG "Audit of the DoD’s Compliance with Security Requirements When Using Commercial Cloud Services".

The Office of the Inspector General (OIG) had warned on February 16 that its investigation of five cloud systems across the Air Force, Army, Marine Corps, and Navy found that “three authorized commercial CSOs [cloud service offerings] used by the DoD Components had a combined [redacted] significant unmitigated vulnerabilities.”

The OIG’s report (an "Audit of the DoD’s Compliance with Security Requirements When Using Commercial Cloud Services") also said that IT staff were relying on “FedRAMP and DoD authorization and continuous monitoring processes without reviewing and considering the risks identified by those processes to fully understand the overall cybersecurity posture of the authorized commercial CSOs. Specifically, [procuring staff] did not review the authorized commercial CSOs’ documentation supporting the FedRAMP and DoD authorizations… [and also] did not review documentation supporting the continuous monitoring activities.”

Be part of the conversation: Follow The Stack on LinkedIn

Some of the assertions in the February 16 report by the Inspector General have been bitterly contested by defence CIOs. The report had warned not just of unpatched systems (heavy redactions mean the precise vulnerabilities were not divulged) but also blasted defence staff responsible for cloud contracts for not reviewing “required documentation to consider the authorized commercial... risks [because they believed that] FedRAMP and DoD authorization process was sufficient to mitigate risks…” (FedRAMP is a US government-wide programme that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services. The report suggests, in short, that staff had assumed FedRAMP approvals meant they did not need to do a great deal more to ensure their cloud use was secure.)

Pentagon CIOs suggest cloud security report from OIG had errors...

"All welcome!" Students inspect the cargo area of a KC-46 Pegasus

Among the reactions to the report was one from the CIO of the Defense Information Systems Agency (DISA) who warned in a letter published as part of the report that the Inspector General’s recommendations “could be interpreted to require reassessments of the authorized commercial CSOs, which was contrary to the DoD’s practice of “do once – reuse many” based on the FedRAMP and DoD authorization processes”.

(The argument will be poignant to many defense IT staffers who have grappled with stultifying bureacracy and welcomed moves by modernising DoD CIOs to move faster and more efficiently; if, of course, securely.)

The DISA CIO also appeared to suggest that the Inspector General’s auditors were going off half-cocked over their concerns at unpatched vulnerabilities, arguing (in the OIG's own paraphrasing of their response) that “all vulnerabilities did not present an increased risk to the CSO or DoD data and could be mitigated through activities other than patching” and over contractually agreed timelines. (The Inspector General gave this short shrift, saying that “we identified unmitigated vulnerabilities for three commercial CSOs… that did not comply with timelines established by FedRAMP and the DoD Cloud Computing Security Requirements Guide.”)

The Department of the Navy CIO (DON CIO) also objected to elements of the OIG report (which was based on a performance audit from January 2020-November 2022), saying that “some of the findings may be a misunderstanding or a misinterpretation of the DoD Cloud Computing Security Requirements Guide (SRG) or of the information provided during the audit by the Mission Owner and the Authorizing Official (AO).”

SRGs, AOs, DISAs, DODs, DONs, CSOs, FedRamps...

An alphabet soup of agencies and rules may be part of the problem -- shared responsibility can be challenging at the best of times -- and the responses pointing a wide ranging series of potential misunderstandings or crossed wires over who is precisely responsible for ensuring the various existing rules around cloud security are adhered to, and perhaps even an assumption in some quarters that FedRAMP compliance means you can build and forget infrastructure. The OIG suggests that cloud partners may not be doing their part either...

“By only reviewing internal network and system‑specific risks, AOs have reduced awareness of the authorized commercial CSOs’ vulnerabilities or risks that could impact their DoD Component’s overall cybersecurity posture, network or mission. For example, AOs would not be aware of systemic risks, such as the vulnerabilities that we identified with the authorized commercial CSOs used by the DoD Components that could allow malicious actors to exploit or circumvent user authentication, elevate user privileges, or make system configuration changes. Without awareness of the authorized commercial CSOs’ systemic risks, AOs would also not be able to implement any additional controls needed to reduce the overall risks associated with using the authorized commercial CSOs.”

What are your views on the OIG report? Get in touch.

See also: US Space Systems Command CIO “Colonel K” on shipping good code, transforming culture