July 14, 2026
Dave Hinchman, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), says federal agencies have an opportunity to strengthen cloud security as cloud adoption continues to accelerate across government. During an interview on Fed Gov Today, Hinchman explains that while cloud computing delivers efficiencies and allows agencies to focus more on their missions, many organizations still need to improve how they manage and oversee cloud environments.
To better understand current practices, GAO examines cloud deployments at four agencies: the Departments of State and Transportation, the Department of Veterans Affairs, and the Small Business Administration. Hinchman says GAO selects the agencies based on the number of existing cloud authorizations they manage, then reviews both platform-as-a-service and software-as-a-service deployments that support multiple agency functions. The goal is to evaluate complex, real-world cloud environments rather than isolated systems.
Across those agencies, Hinchman says one theme stands out: there is still significant work to do. He explains that GAO identifies recurring challenges with continuous monitoring of cybersecurity controls, service level agreements, and overall oversight of cloud providers. While agencies often move to the cloud to improve efficiency and reduce operational burdens, Hinchman emphasizes that migrating systems does not eliminate an agency's responsibility for protecting its data.
Cloud computing, he notes, has become a major investment for the federal government, with spending reaching roughly $10 billion annually. That growth makes strong governance increasingly important. Agencies benefit from relying on specialized cloud providers, but they must clearly define responsibilities from the very beginning of a contract. Hinchman says agencies need to establish who is responsible for cybersecurity activities, ensure security logs are reviewed regularly, and maintain compliance with federal reporting and contracting requirements throughout the life of the deployment.
Rather than viewing cloud adoption as simply moving workloads to another environment, Hinchman encourages agencies to fully understand what it means to operate systems managed by a third party. He cautions against pursuing "cloud for cloud's sake" and stresses that agencies remain accountable for the services they purchase. Effective communication with cloud providers, he says, is essential to maintaining secure operations.
GAO focuses on three key practices during its review: continuous monitoring, incident response and recovery, and service level agreements. Hinchman highlights continuous monitoring and service level agreements as areas where agencies can make immediate improvements. Vendors may perform the technical monitoring, but agencies still need to review logs, understand the threats affecting their environments, and verify that appropriate protections remain in place. Likewise, well-defined service level agreements establish measurable performance expectations, clarify responsibilities, and outline remediation plans when problems arise.
Hinchman also points to the evolving Federal Risk and Authorization Management Program (FedRAMP) as an important development for agencies. As aspects of FedRAMP shift more responsibility to individual agencies, organizations will need to conduct greater due diligence when evaluating cloud providers and ensuring their environments remain secure. The lessons identified in GAO's review become even more important under this evolving model.
While GAO's study examines only a limited number of cloud deployments, Hinchman says the findings reinforce broader cybersecurity challenges that government organizations continue to face. Strengthening oversight, maintaining continuity through leadership transitions, and treating cybersecurity as an ongoing responsibility will help agencies better protect taxpayer data while continuing to modernize their technology environments.