On July 22, 2024, HHS (Health and Human Services) OIG published a report identifying a need for the Department of Health and Human Services, Office of the Secretary (HHS OS) to improve key security controls to better protect cloud information systems. The report, while focused on HHS OS, underscores the challenges that many organizations face in managing cloud security and risk, comprehensive visibility, and control. According to the report, while “HHS requires all HHS entities to identify, register, and maintain a current and accurate inventory of cloud systems” and components, HHS lacked documented procedures for verifying that the cloud systems inventories are accurate. This resulted in HHS OIG identifying 13 undocumented cloud systems in use at HHS OS. Relying on documentation of systems alone leaves organizations prone to human error and visibility gaps. Organizations need to be able to automate visibility across their multi-cloud environments, as well as the discovery of their external attack surface and partner-run cloud environments. Additionally, HHS OIG found that System Security Officers do not always possess the skill sets required to effectively govern and assess cloud security controls. This resulted in HHS OIG identifying 12 key security controls that had either not been implemented or were not configured in accordance with Federal requirements, such as NIST (National Institute of Standards and Technology) SP 800-53 rev 4. In their audit, they identified…Read More