GAO: Selected agencies need to better protect cloud data

(AVNSURESH / Pixabay)

By GAO • Jun 26, 2026

Four selected agencies—the Departments of State, Transportation, Veterans Affairs (VA), and the Small Business Administration —varied in their efforts to implement and ensure contractor compliance with three key cloud security practices. Specifically, one agency had fully implemented all three practices for two of its systems and one agency had fully implemented the practices for one of its systems. The agencies partially implemented the practices for the remaining five systems.

For example, agencies fully performed continuous monitoring for three of the eight selected systems. Although most of the agencies developed and implemented a plan for continuous monitoring, they did not always review continuous monitoring deliverables from the provider. Agencies fully implemented the practice regarding service level agreements for five out of eight systems. For the remaining three systems, agencies’ agreements did not consistently define performance metrics, including how they would be measured and the enforcement mechanisms.

Fully implementing the key practices will support the agencies’ efforts to ensure the confidentiality, integrity, and availability of agency information in their cloud systems. For example, without a robust continuous monitoring program, the agencies may have diminished ability to identify and mitigate control deficiencies and emerging threats. Additionally, the agencies may not promptly detect unauthorized access attempts or anomalous activity, leaving critical systems and data exposed to compromise.