Agencies are struggling to follow the rules around cloud computing.
The Council of Inspectors General analyzed 77 commercial cloud contracts across 19 civilian agencies and found most failed to implement federal guidance and best practices.
“The specificity of the requirements incorporated into the contracts used to procure cloud systems varied across the sample, with all 77 contracts lacking the detailed specifications recommended in federal cloud computing guidelines and best practices documentation,” the IGs wrote in the report released to the public Oct. 9. “Additionally, 59 cloud systems reviewed did not meet the requirement to become compliant with the Federal Risk Authorization and Management Program (FedRAMP) by June 5, 2014, even though the requirement was announced on December 8, 2011.”
IGs from 19 different civilian agencies selected a sample of 77 commercial cloud contracts worth about $1.6 billion for the survey. Each IG reviewed its sampled contract(s) independently based on a standardized matrix of questions and verified its results through the respective IG’s internal quality control processes, the report stated.
In the report, the IGs reviewed the sample contracts around three main areas: cloud contracting specifications, cybersecurity and IT inventory management.
In all three of those categories, a majority of the agencies struggled to meet CIO Council and Office of Management and Budget guidance and/or industry best practices.
“These issues occurred in part because there is no single authoritative source that details the specifications agencies should consider when procuring cloud computing services and that requires federal agencies to incorporate those specifications into cloud computing contracts,” the report stated.
OMB first issued its cloud-first policy in December 2010. Over the last almost four years, nearly every agency has piloted cloud computing services, and many have turned to it wholeheartedly.
The council estimates agencies have issued a total of 348 contracts worth about $12 billion for cloud services
An email to OMB seeking comment on the report was not returned.
The Council has been working on the report between January and August, and it’s one of only a few governmentwide reviews of agency cloud implementations over the last four years. The Government Accountability Office in 2012 reviewed the progress of seven agencies and found seven common challenges.
GAO’s findings more than two years ago match up with what the IGs found in 2014.
Among the most interesting of the IG’s findings is the lack of knowledge or acknowledgement of the need to have cloud services that are FedRAMP approved.
The IGs found 59 of 77 systems didn’t meet the FedRAMP cybersecurity standards by June 5 — OMB’s governmentwide deadline.
“Ultimately, this occurred because the agencies did not adequately plan in order to meet the June 5th deadline and the FedRAMP program management office does not have the authority to enforce FedRAMP compliance at the agency level,” the report stated.
“Additionally, agencies reported that their contractors were noncompliant because the contractors did not believe they were required to be FedRAMP compliant. Compounding the problem, the OIGs found that for 30 of the 59 noncompliant systems, the agencies did not establish a comprehensive inventory of all cloud services.”
The IGs also said the FedRAMP Joint Authorization Board (JAB), led by the departments of Defense and Homeland Security and the General Services Administration, does not have the authority to ensure compliance.
“Since there is no discernible penalty for noncompliance and no singular governing body with the authority to enforce compliance, the agencies do not have an incentive to timely comply with FedRAMP requirements and therefore did not adequately plan in order to meet the June 5, 2014 deadline,” the report stated. “Finally, many of the agencies that participated in the initiative had difficulty obtaining an accurate cloud system inventory due to a failure by agencies to report all cloud systems and a lack of consistency in applying cloud definitions.”
The IGs said 9 of 19 agencies did not have an accurate and complete inventory of their cloud systems.
Auditors found agency inventory processes relied too heavily on manual reporting, and were not applying the governmentwide definition of cloud computing as developed by the National Institute of Standards and Technology.
“Without accurate and complete inventories, the agencies involved do not know the extent to which their data reside outside their own information system boundaries and are subject to the inherent risks of cloud systems,” the report stated. “These risks include isolation failure, interception of data in transit, and insecure or ineffective deletion of data. These risks could expose agency data to unauthorized parties and potentially compromise the objectives of the agencies’ programs.”
Missing complete SLAs, NDAs and more
Agencies need an inventory of cloud systems for several reasons, including ensuring their network is properly protected against cyber attacks.
But cybersecurity comes down to more than just FedRAMP and an inventory, agencies also failed to adhere to best practices with their terms and conditions with cloud service providers.
The report found all 77 contracts reviewed lacked detailed service level agreements, specific data preservation responsibilities, delineated roles and responsibilities, federal regulation requirements and audit and investigative access for IGs.
“Although the contracts tested did contain some of the elements, no one contract included all of the elements,” the IGs found. “This occurred in part because there is not a single, authoritative source that specifies the requirements agencies should consider when procuring cloud computing services and that requires federal agencies to incorporate those requirements into cloud computing contracts.”
Risk management was another area where agency contracts fell short.
The lack of internal controls meant agencies could not monitor and manage cloud service providers and the government data in their systems against cyber attacks.
“Furthermore, because 42 contracts, totaling approximately $317 million, did not include detailed SLAs specifying how a provider’s performance was to be measured, reported, or monitored, the agencies are not able to ensure that CSPs meet adequate service levels, which increases the risk that agencies could misspend or ineffectively use government funds,” the report stated. “OIGs found that 42 contracts did not specify how a provider’s uptime percentage performance (the level of system availability that the CSP must provide to the agency for a specific period of time) was to be measured, reported, or monitored.”
Almost half of the contracts also lacked specifics around data preservation and non-disclosure agreements to protect sensitive or procurement information.
Additionally, a majority of the contracts didn’t include terms and conditions to let auditors and agency officials conduct forensic investigations for both criminal and non-criminal purposes without interference from the CSP, did not detail procedures for electronic discovery when conducting a criminal investigation and did not include language to let IGs “have full and unrestricted access to the contractor’s (and subcontractor’s) facilities, installations, operations, documentation, databases, and personnel used in performance of the contract in order to conduct audits, inspections, investigations, or other reviews.”
The Council made four recommendations to OMB:
Establish standardized contract clauses that agencies must use when adopting cloud computing technologies;
Determine how best to enforce FedRAMP compliance;
Establish a process and reporting mechanism to ensure Federal agencies require CSPs to meet the FedRAMP authorization requirements in a timely manner;
Incorporate routine reviews of agency information system inventories into the continuous monitoring process.
The IG didn’t include any agency or White House comments about the reports or their recommendations.