The Rising Risk of Federal Agency Cloud Investments

Agencies pushed by the Office of Management and Budget to adopt “Cloud First” have moved en masse into cloud computing, assuming a greater level of risk than would have been acceptable previously. Inspectors General at several agencies have found that the move to the cloud at their agencies has resulted in uncoordinated investments, flawed and even absent data management policies, and a lack of FedRAMP security compliance. Agencies have thus swapped increased risk for greater savings thanks to policy pressure, a situation that is fraught with potential problems in the future.

Last week saw the publication of a report by the Government Accountability Office that reprimanded federal agencies for not pursuing cloud investments as aggressively as is mandated by the Office of Management and Budget’s “Cloud First” policy.  As a result, the GAO’s Cloud Computing: Additional Opportunities and Savings Need to Be Pursued report concluded, agencies had not derived the cost benefits that they might have if they had chosen to use a commercial cloud service rather than reinvest in the ongoing operation of numerous legacy systems.  At roughly the same time the Department of Energy’s Office of the Inspector General published an audit report showing that although DOE offices and programs had invested more than $30 million dollars in cloud computing those offices could often neither account for the services they used, nor had they established adequate data management policies.  Lastly, the audit found that none of the cloud services reviewed were fully compliant with the Federal Risk and Authorization Management Program (FedRAMP).

In effect the GAO lambasted agencies for not considering cloud solutions to replace aging legacy systems, while at the same time yet another agency IG criticized its offices for failing to adequately protect data and coordinate investment management.  Several weeks ago the OIG at the Environmental Protection Agency revealed flaws in the EPA’s cloud investments that are similar to those at the DOE and last year the National Aeronautics and Space Administration was slapped for making cloud investments that lacked adequate data governance and security oversight.

Does anyone see the problem here?   

The OMB pushed Cloud First onto agencies with the sole objective of reducing IT costs.  This unerring (and I would argue irresponsible) focus on reducing costs forced agencies to jettison their typical risk aversion and jump into a new technology approach that they were not prepared for.  Lest readers think I am overstating the problem, I ask for consideration of the following.  Over the last two years I have documented hundreds of cloud investments that agencies have made since 2009.  These investments include back office systems and even a few mission critical programs that go far beyond the 3 programs that Cloud First originally mandated.  Now agency IG after agency IG is coming forward with audits revealing uncoordinated investments, absent data management policies, and lack of FedRAMP compliance.

Consider FedRAMP compliance.  Last time I checked fewer than 20 commercial cloud solutions had received FedRAMP certification.  Years ago representatives from industry warned that the FedRAMP approach would create a bottleneck of epic proportions; something GSA officials repeatedly promised wouldn’t happen.  Now where are we?  Agencies caught between the rock of OMB (and Congress, for that matter) and the hard place of the glacial FedRAMP authorization process have invested in cloud solutions well before they were ready for them.  The result has been chaos and the expansion of risk  across government in the name of saving a few million dollars; all of this against a backdrop of soaring entitlement spending that reaches into the trillions.  Is it any wonder that agencies have sought to keep legacy systems running rather than wade further into water that is already up to their noses?

The reality of the situation is that federal agencies have already made significant investments in cloud computing.  Many of these investments were made before FedRAMP had been stood up, meaning very, very few of them are compliant.  Worse yet, agency data management policies providing standards for the handling, storage, and accessibility of data are still largely missing.  The result is a federal IT environment in which risk has soared – the risk of breached or lost data, the risk of poorly managed investments, and the risk of cost overruns.  All of this has come at the cost of saving a few pennies at a time when the Federal Reserve regularly CTRL+Ps billions of dollars into existence per month.  The Department of Defense’s more conservative approach to the cloud doesn’t look so bad now does it?