HHS Cloud Infrastructure as a Service Security Audits
Federal agencies are increasingly adopting cloud computing services to address information technology needs. During FY 2020, HHS reported that more than 21 percent of its systems were in the cloud. In view of the increase in cloud adoption across HHS, we are concerned that HHS may not be aware of all cybersecurity risks associated with its Infrastructure as a Service (IaaS) cloud environments. The Federal Risk and Authorization Management Program and National Institute of Standards and Technology requirements establish that agencies protect any Federal information that is collected, maintained, and processed by cloud service platforms. We will perform a series of audits to assess the security of the HHS OpDivs' cloud IaaS configurations and test whether attack vectors exist that adversaries could leverage to access HHS data. We will determine whether HHS OpDivs have properly identified and inventoried their IaaS cloud assets. In addition, we will determine whether HHS and OpDivs have implemented effective cybersecurity controls for their cloud IaaS environments in accordance with Federal and HHS security requirements and guidelines.
Announced or Revised | Agency | Title | Component | Report Number(s) | Expected Issue Date (FY) |
---|---|---|---|---|---|
Completed (partial) | OS, ACF, CMS, CDC, FDA | HHS Cloud Infrastructure as a Service Security Audits | Office of Audit Services | W-00-22-42041; A-18-22-08020 |
2024 |