The Office of Management and Budget is pushing back against the recent critical report on federal cloud computing efforts by 19 civilian agency inspectors general.
An OMB official said while the agency appreciate the IG’s report, it fails to address several key initiatives that ensure oversight over cloud computing.
“Federal agencies have already made significant progress on a number of fronts not noted in the report, to ensure the security of cloud computing environments,” the official said in an email. “We will work with agencies as they fully implement current cloud policy and FedRAMP authorizations, and we will continue to improve oversight as cloud capabilities and programs continue to mature.”
The IGs found in an analysis of 77 commercial cloud contracts across 19 civilian agencies that most failed to implement federal guidance and best practices. One of the biggest key insights from auditors is 59 of the cloud systems reviewed did not meet the requirement to become compliant with the Federal Risk Authorization and Management Program (FedRAMP) by June 2014, even though the requirement was announced on Dec. 8, 2011.
Among the efforts and policies the OMB official said are ensuring oversight and compliance are actions related to the December 2011 memo to CIOs, “Security Authorization of Information Systems in Cloud Computing Environments.” The official said, for example, agencies have implemented 160 cloud services or systems that are FedRAMP approved.
The official said OMB is collecting FedRAMP compliance data as part of the agency quarterly reports on cloud services through the integrated Data Collection (IDC), and is reviewing this data with agencies in conjunction with PortfolioStat.
The official added OMB also will build upon this existing reporting mechanism to include clarification of the actual name of systems and contract start dates to monitor whether new contracts are occurring without meeting FedRAMP certification requirements.
OMB seems to be taking the IG’s findings seriously, but is far from in agreement with auditors’ conclusions.
What was interesting about the IGs report is that OMB or any of the agencies the auditors examined commented on the report. Nearly every other audit report whether from an IG or from the Government Accountability Office includes, at the very least, comments on the draft and technical corrections. The big question is what will come of the IG report? Will OMB ramp up its oversight in the coming months? Or will the recommendations the IGs made just be added to an ever-growing list of things agencies need to “fix?”
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.