Commerce and Interior Cloud Audits Note Contracting and Security Pitfalls

In response to a Council of the Inspectors General on Integrity and Efficiency (CIGIE) government-wide initiative, the Department of Commerce’s Office of the Inspector General evaluated agency efforts to adopt cloud computing technologies and reviewed a sample of contracts for compliance with related standards.

Commerce Cloud Computing Performance Audit

In October of 2014, the Commerce Department’s Assistant Inspector General for Systems Acquisition and IT Security issued a memorandum regarding the department’s cloud computing efforts. In a review of six contracts from three difference Commerce Department bureaus, contracts for four of the efforts were found to be missing required clauses. Further, only two of the six contracts were for offerings compliant with the Federal Risk and Authorization Management Program (FedRAMP). The six Commerce Department contracts averaged $4.5 million in total contract value and 3.5 years in duration. The required clauses the IG noted pertained to government access to contractor (and subcontractor) facilities, installations, operations, personnel, technical capabilities, and databases.

As of May 2015, Deltek’s Federal Industry Analysis team’s database of cloud computing contracts has identified nearly 60 contracts for cloud awards at the Department of Commerce, ranging in duration from one month to five years and combining to total over $1.0 billion in contract value. These contracts were awarded to 32 different vendors, only 7 of whom have completed or are in the middle of completing the FedRAMP authorization process.

Interior Cloud Computing Performance Audit

In a report published in May 2015, the Department of Interior’s Office of Inspector General identified 42 cloud services implemented across its bureaus. As part of its audit of the department’s cloud computing efforts, the IG reviewed contracts for four of these efforts. The findings suggest that business and IT security risks were not appropriately addressed, and in some cases bureaus avoided necessary approvals by circumventing appropriate acquisition channels. It was also noted that contracts did not follow best practices. The four Interior Department contract averaged $251.3 million in total contract value and 4.75 years in duration. These figures were skewed by the high value and longer duration of the Foundation Cloud Hosting Services Contract. (DOI reports the Foundation Cloud Hosting contract duration as 10 years and value as $1 billion, although the contract included multiple awards with each one at that level.) All four of the sample contracts were with FedRAMP approved cloud providers.

The Federal Industry Analysis team’s database of cloud computing contracts has identified 34 contracts for cloud awards at the Department of Commerce, ranging in duration from four months to eight years and combining to total over $10.1 billion in contract value. These contracts were awarded to 21 different vendors, only 5 of whom have completed or are in the middle of completing the FedRAMP authorization process.

Audits Highlight Broader Implementation Trends

When the CIGIE reported on cloud computing initiative in September 2014, the report referenced a “universe of 348 contracts with a value of approximately $12 billion.”  Based on review of a sample of 77 cloud contracts at that time, CIGIE found that none of the 19 participating agencies had sufficient controls in place to manage the cloud service providers (CSP) and the data stored within the cloud systems. Despite awareness that agencies continue to utilize cloud solutions that have not completed the FedRAMP process, it’s unclear what recourse is available to enforce compliance.

Federal agencies have published (NASA, Energy, U.S. Department of Agriculture) and continue to release the findings from their audits of cloud efforts. The findings from these reviews indicate some broad trends in the hurdles that agencies have hit in their effort to rapidly adopt cloud computing technologies – governance, contracting practices, security control compliance. The drive to comply with mandates and to achieve greater long-term sustainability has resulted in cutting corners. Ironically, those missteps are fueling additional audits and oversight activities that will undoubtedly delay current and future adoption efforts.