Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

HHS Cloud Infrastructure as a Service Security Audits

Federal agencies are increasingly adopting cloud computing services to address information technology needs. During FY 2020, HHS reported that more than 21 percent of its systems were in the cloud. In view of the increase in cloud adoption across HHS, we are concerned that HHS may not be aware of all cybersecurity risks associated with its Infrastructure as a Service (IaaS) cloud environments. The Federal Risk and Authorization Management Program and National Institute of Standards and Technology requirements establish that agencies protect any Federal information that is collected, maintained, and processed by cloud service platforms. We will perform a series of audits to assess the security of the HHS OpDivs' cloud IaaS configurations and test whether attack vectors exist that adversaries could leverage to access HHS data. We will determine whether HHS OpDivs have properly identified and inventoried their IaaS cloud assets. In addition, we will determine whether HHS and OpDivs have implemented effective cybersecurity controls for their cloud IaaS environments in accordance with Federal and HHS security requirements and guidelines.

Announced or Revised Agency Title Component Report Number(s) Expected Issue Date (FY)
Completed (partial) OS, ACF, CMS, CDC, FDA HHS Cloud Infrastructure as a Service Security Audits Office of Audit Services W-00-22-42041;