GAO: Agencies Rush to Cloud While Security Safeguards Lag Behind

Why It Matters

A Government Accountability Office report released on June 25 examined how federal agencies are managing cloud data security as they increasingly shift operations to cloud computing services. The stakes are significant. Federal agencies handle sensitive information ranging from national security data to personal records of millions of Americans. As these agencies migrate to cloud platforms to reduce costs and improve efficiency, they face mounting cybersecurity risks that could expose classified information, compromise critical infrastructure, or jeopardize citizen privacy.

Cloud computing services provide federal agencies with access to networks, storage, and software without the burden of building and maintaining their own infrastructure. The financial appeal is clear: using cloud computing services can cost federal agencies substantially less than creating their own services. Yet this cost advantage comes with a critical tradeoff. Using cloud computing services can pose cybersecurity risks that agencies have struggled to manage adequately.

The report arrives at a moment when federal cloud adoption is accelerating. Agencies across the government are racing to modernize legacy systems, and cloud migration has become a default strategy. But the GAO's findings suggest that many agencies lack comprehensive cloud data security frameworks, leaving critical government operations and citizen data vulnerable to breach, theft, or disruption.

Cloud Migration

Federal agencies began shifting toward cloud computing roughly a decade ago, driven by the promise of operational efficiency and cost reduction. The appeal was straightforward: rather than investing billions in physical data centers and IT infrastructure, agencies could leverage commercial cloud providers' platforms and pay only for what they used.

This shift accelerated following the 2014 Federal Cloud Computing Strategy, which encouraged agencies to adopt cloud-first policies. By the early 2020s, cloud adoption had become mainstream across the federal government. Agencies managing everything from tax records to military intelligence were evaluating or already using cloud services. The trend reflected a broader government-wide push toward digital transformation and modernization.

The cost savings were real but not unlimited. While cloud computing services could reduce expenses compared to maintaining on-premises infrastructure, agencies discovered that cloud migration required substantial upfront investment in planning, security architecture, and staff training. Some agencies found themselves paying premium prices for cloud services without realizing the promised savings. Others migrated to the cloud only to discover their existing security practices were inadequate for cloud environments.

The Vulnerability Gap

The fundamental challenge lies in cloud computing itself. Unlike traditional on-premises systems where an agency maintains complete physical and logical control, cloud services involve third-party vendors managing critical infrastructure. This shared responsibility model creates ambiguity about who is responsible for what security measures.

Federal agencies operate under strict cybersecurity requirements. The Federal Information Security Modernization Act mandates that agencies implement security controls and conduct regular audits. Yet many agencies lacked clear guidance on how to apply these requirements in cloud environments. Security frameworks developed for traditional data centers did not always translate cleanly to cloud platforms.

The GAO report documented gaps in how agencies were implementing cloud data protection. Some agencies had not completed adequate risk assessments before moving sensitive data to the cloud. Others failed to implement encryption standards or access controls that matched their on-premises security practices. A few agencies discovered after migration that their cloud providers did not offer security features they had assumed were standard.

Compliance represented another vulnerability. Federal agencies must meet various regulatory and statutory requirements depending on their mission. The Department of Defense operates under different security standards than the Social Security Administration. Yet agencies often selected cloud providers based primarily on cost rather than on their ability to meet specific compliance requirements. The result was a patchwork of cloud deployments with inconsistent security postures.

Data Portability

Beyond immediate cybersecurity concerns, the GAO report highlighted a structural problem that could constrain federal agencies for years: vendor lock-in. Once an agency migrates substantial volumes of data and applications to a particular cloud provider, switching providers becomes expensive and technically complex. This dependency can limit an agency's negotiating power and leave it vulnerable to price increases or service degradation.

Data portability emerged as a related concern. Some cloud providers use proprietary formats or architectures that make it difficult for agencies to extract their data when they switch vendors or bring services back in-house. This lack of portability can trap agencies in long-term relationships with vendors, even if those relationships prove unsatisfactory.

The report suggested that agencies should have negotiated stronger contractual terms around data portability and exit strategies before signing cloud service agreements. Yet many agencies had not done so, having prioritized rapid migration over long-term flexibility. This created a scenario where federal agencies could find themselves locked into cloud arrangements that do not serve their interests but are difficult to exit.

Cybersecurity Risks

The intersection of cloud adoption and government cybersecurity risks creates multiple pressure points. Federal agencies handle classified information subject to strict security protocols. Moving classified data to commercial cloud platforms requires extensive security certification and oversight. Yet some agencies had moved sensitive unclassified information to commercial clouds without fully understanding the implications.

Cloud data protection standards vary significantly among providers. A commercial cloud platform designed primarily for businesses might not meet the security requirements necessary for government use. Agencies discovered they needed to implement additional security layers on top of their cloud providers' offerings, adding cost and complexity.

Compliance verification presented another challenge. Federal auditors need to assess whether agencies are meeting their security obligations. In cloud environments, this becomes more difficult because some security controls rest with the vendor rather than the agency. Auditors must evaluate vendor security practices, which requires different expertise and access than traditional auditing.

The report documented instances where agencies could not provide auditors with complete visibility into their cloud security posture. Some vendors restricted what security information they would disclose, citing proprietary concerns. This opacity made it difficult for agencies to verify compliance and for auditors to ensure that sensitive government data was adequately protected.

The Bottom Line

The GAO report offered recommendations for improving how federal agencies approach cloud data security. These include establishing clearer security standards specific to cloud environments, requiring agencies to complete thorough risk assessments before cloud migration, and negotiating stronger contractual protections around data security and portability.

Implementation of these recommendations will require coordination across the federal government. No single agency can solve the cloud security challenge alone. The Office of Management and Budget, which oversees federal IT policy, would need to provide updated guidance. Individual agencies would need to invest in staff training and security architecture expertise. And federal auditors would need to develop new methodologies for evaluating cloud security.

The challenge is urgent. Federal agencies continue migrating to the cloud. Each day of delay in implementing stronger cloud data security practices increases the risk that sensitive government information could be compromised. The GAO report provides a roadmap, but translating that roadmap into practice will require sustained attention and resources from Congress and the executive branch.

Access the Legis1 platform for comprehensive political news, data, and insights.

Spot something wrong? Report an issue with this article