Agencies Can’t Make Informed Decisions Without Cloud Visibility
GAO discovered the four audited agencies fully performed continuous monitoring for only three of their 15 systems and only partially implemented the practice for the remaining 12. All had plans for continuously monitoring their systems but failed to fully document their progress because none thought it necessary.
Complete documentation ensures ongoing awareness of security and privacy posture changes in systems, and until continuous monitoring is fully implemented, department risk management decisions would suffer, GAO’s report reads.
Still, agencies have made continuous monitoring improvements internally; they just need to do a better job of contractually requiring cloud service providers to perform such activities, Hinchman says.
Automation of continuous monitoring should also be discussed during an agency’s planning process.
“I think the continuous monitoring is going to be a challenge,” Hinchman says. “But we're looking forward to working with the agencies over the next couple of years to see their progress and get those recommendations implemented.”