Problematic Cloud Transition at USDOT Spotlights Increasing Risk

Published: September 09, 2015

Cloud ComputingCybersecurityFAADOT

Since 2013, federal agencies have increased their use of cloud computing solutions and in the process of doing so they have also taken on increased risk.

The big news recently out of the Department of Transportation was the award of a $109 million contract to Computer Services Corporation to provide cloud services to the Federal Aviation Administration. The award of the FAA Cloud Services contract represents an important step forward for the agency, and potentially for the DOT as a whole, if the department elects to utilize the FAA’s cloud provider for its other modal organizations.

The FCS award comes at an interesting time for the DOT. Interesting because only three months earlier, the department’s Office of the Inspector General published a highly-critical audit of public cloud efforts underway at the DOT since December 2013. The DOT OIG conducted the audit as part of the Council of Inspectors General on Integrity and Efficiency’s effort to determine the status of cloud computing environments at federal agencies. Two objectives were to be satisfied by the audit: 1) “to determine if [the] DOT has an effective process to transition existing information technology services to cloud computing” and 2) to understand if the DOT had “identified and mitigated security risks associated with the transition.”

During its investigation, the DOT OIG found only 6 projects that could be positively identified as cloud-related. Five additional projects were later submitted to the OIG for auditing purposes, but the OIG chose to focus its analysis on the original 6 contract awards. Lastly, of the 11 systems eventually identified as cloud, the OIG found that “only 5 were correctly identified in the Department’s inventory. Four were identified as non-cloud systems, and 2 were not in the inventory at all.” After comparing these results to the investments listed in DOT’s PortfolioStat data, the DOT OIG concluded that the Department had not accurately reported its cloud investments to the Office of Management and Budget.

While this finding is troubling enough, suggesting that yet another federal agency has failed to manage its cloud investments effectively, the DOT OIG also found the following:

  • The DOT’s transition to cloud computing has not been effective because the Department has not established guidance on contracting for cloud systems or for cost and benefit assessments of the systems.
  • The DOT has not updated its guidance on contracting for IT services to include cloud systems, meaning that requirements for specific contract clauses needed for cloud services, such as provisions that cover maintenance of data integrity, availability, and confidentiality, are routinely not included.
  • Three of the six contracts reviewed did not include provisions establishing non-disclosure agreements required to protect agency information from inappropriate release.
  • The DOT has not established an accurate inventory of cloud systems—a requirement for effective information system risk management.
  • The DOT’s cloud systems did not meet the requirements of the Federal Risk Authorization and Management Program (FedRAMP), even though the FedRAMP Program required the security of all federal cloud systems to be compliant with its guidelines by June 2014.

So, to sum up, according to the DOT OIG, the department regularly places its data in risky environments (i.e., non-FedRAMP compliant), it does not maintain control of its data through proper contract controls, it cannot properly account for the amount it spends on cloud services, it cannot accurately inventory the number of cloud systems it has, it cannot determine the return on its investment in cloud, and it hasn’t properly trained or provided guidance to contracting personnel on properly procuring cloud services.

The DOT is not alone in suffering from these lapses in cloud management and procurement. Since the outset of the CIGIE’s audit efforts at least a dozen other department OIG’s have reported similar findings at their agencies. In other words, the management lapses and increased risk being taken on by the DOT during its cloud “transition” are not isolated – they are indicative of a growing problem that stretches across the federal government. The fact is that federal agencies, constantly under pressure from the White House, the media, Congress, and industry to adopt cloud solutions more rapidly, have moved forward accordingly. In the process of doing so they have exposed themselves to risks that they never would have dreamed of taking on before the advent of cloud-based solutions. In short, the federal government’s transition to the cloud is a cyber-security disaster waiting to happen and when one does occur the OIG of the agency where it takes place will be able to point to exactly why it occurred.