- GAO has made 12 recommendations to strengthen cloud security practices
- GAO found that agencies have not fully implemented continuous monitoring and incident response
- The 2026 FedCiv Summit will explore AI, cloud, cybersecurity and more
The Government Accountability Office has issued 12 recommendations to the Departments of State and Veterans Affairs and the Small Business Administration to enhance federal cloud security practices following an assessment of continuous monitoring, incident response and service level agreement, or SLA, implementation across selected systems.
Amid cloud security challenges, federal agencies are navigating evolving cybersecurity and compliance demands as they modernize data and compute infrastructure in the AI era. These issues will be examined at the Potomac Officers Club’s 2026 FedCiv Summit, where leaders will discuss artificial intelligence deployment, cloud and enterprise infrastructure, workforce enablement and cross-agency modernization priorities. Book your spot now for the Oct. 29 event!
What Are GAO’s Recommendations?
In a report published Thursday, GAO said it recommended that State, VA and SBA fully implement continuous monitoring practices, including reviewing provider deliverables and collecting and reviewing audit logs.
The report also calls for strengthened incident response and recovery procedures and improved service level agreements that define performance metrics, measurement methods and enforcement mechanisms.
What Did GAO Find?
GAO found that selected agencies had not fully implemented key cloud security practices across all reviewed systems. While some systems showed partial or full implementation, gaps remained in continuous monitoring, incident response coordination and recovery documentation, and SLA performance definitions.
The congressional watchdog noted that these weaknesses may limit agencies’ ability to detect vulnerabilities and ensure provider accountability.
How Did GAO Conduct the Study?
GAO conducted the study by assessing four Chief Financial Officers Act agencies—State, VA, the Department of Transportation and SBA—selected based on cloud authorization data. The agency examined two cloud systems per agency and evaluated documentation, contracts and procedures against federal guidance from the Federal Risk and Authorization Management Program, the National Institute of Standards and Technology and the Office of Management and Budget.
GAO also conducted interviews with agency officials to validate implementation of key cloud security practices.
How Does the GAO Report Align With Recent Cybersecurity Executive Orders?
The GAO report aligns with recent executive actions issued by the Trump administration aimed at strengthening federal cybersecurity and preparing government systems for emerging technological threats. One executive order directs federal agencies to accelerate the transition to post-quantum cryptography standards to protect government data from future quantum computing risks. Another executive order focuses on advancing AI capabilities to improve cybersecurity defenses and protect critical infrastructure.
In addition, a presidential memorandum reestablishes the Committee on National Security Systems to enhance oversight and coordination of cybersecurity requirements across national security platforms.
