Audit Initiated of DOT Cloud Services
Over the past 10 years, DOT and its Operating Administrations have increased their migration to and adoption of cloud computing based on Federal requirements. However, DOT-OIG continues to find that the Department lacks a comprehensive and accurate inventory of cloud systems—a key requirement for effective information system risk management. Additionally, in May 2021, the President issued Executive Order 14028, detailing the administration's goal to modernize Federal Government cybersecurity by accelerating the movement to secure cloud services, adopting security best practices, and advancing towards Zero Trust Architecture cybersecurity plans. Given the uncertainty over whether DOT is reporting a complete inventory of its cloud systems, DOT’s cloud systems are secure, and DOT has a strategy to address the Administration’s cybersecurity goals, DOT-OIG is initiating this review. Our audit objectives will be to assess the effectiveness of the Department’s (1) cloud systems’ security and privacy controls and (2) strategy to secure cloud services in order to implement Zero Trust Architecture.