Surprise! The Defense Inspector General Finds that DoD Can’t Track Cloud Investments
Published: January 13, 2016
Yet another Inspector General finds that a federal agency, this time the Department of Defense, cannot identify its cloud investments.
Readers may have noticed recently that a great deal of attention has been focused on a report released by the Department of Defense’s Office of the Inspector General concerning the DoD’s cloud investments. Published at the very end of December, the IG’s report found that the DoD does not maintain a comprehensive list of cloud computing contracts. The IG came to this conclusion after it attempted to audit the department’s cloud investments to determine if a cost-benefit analysis for cloud solutions had been done before contracts had been awarded. Thwarted in achieving its initial objective, the DoDIG stepped back to reach a more fundamental conclusion – that “the DoD Chief Information Officer (CIO) did not establish a standard, Department-wide definition for cloud computing and did not develop an integrated repository that could provide detailed information to identify cloud computing service contracts. As a result, DoD cannot measure the effectiveness of the DoD cloud computing initiative … to determine whether it achieves actual cost savings or benefits.”
Findings Do Not Surprise
Those of you who read this blog regularly know that the DoDIG’s findings come as no surprise. The Department of Defense joins a long list of civilian agencies whose Inspector General’s offices reached exactly the same conclusion concerning their cloud investments. The DoDIG’s findings reinforce an argument about federal cloud computing that is unique to this blog; namely, that if agencies cannot account for what they are investing in cloud, cannot track how they are using cloud, and cannot accurately derive cost-benefits, then the risk they are assuming is growing. In this sense, federal investment in cloud is probably proceeding at too rapid and not too slow a pace, as everyone from the White House, to Congress, to various industry blogs claim.
The DoDIG Recommends …
The DoDIG made two recommendations in its report. First, it advised that the DoD CIO “establish a standard, Department-wide cloud computing definition or clarify the National Institute of Standards and Technology definition to consistently identify DoD cloud computing service contracts.” Second, it recommended that a repository of cloud contracts be created that provides detailed information identifying DoD’s cloud computing services contracts.
Both recommendations are worthwhile, but they raise a question about the NIST cloud definitions. Are these too narrow? Has NIST actually done a disservice to federal agencies by providing definitions of “as-as-Service” solutions that limit the ability of a technology layperson, otherwise known as a government contracting official, to determine what the DoD is spending on a cloud service?
Here is an example of what I mean. Company X maintains a close partnership with Infrastructure-as-a-Service provider Y. These companies win a contract to provide the Army with infrastructure services. Company X is the official winner of the contract, but it is not the provider of the cloud service. IaaS provider Y is the service provider. Company X provides the migration services to take the DoD data and ensure that it is housed in provider Y’s IaaS. Does the contract go into the new DoD CIO repository as an IaaS contract or is it a support services contract or is it both?
The answer is irrelevant. More important is the fact that contracting for cloud is a confusing process for an official trained only to think in terms of the NIST definitions. When the service being provided doesn’t fit neatly into an “aaS” category it causes confusion.
In closing, it should be noted that the DoD CIO is addressing the issues raised by the DoDIG in the form of a cloud computing catalog. Vendors approved to provide cloud services for defense customers will have their solution listed in the catalog according to its NIST definition. Defense customers will select from those approved solutions and compete contracts accordingly. In the years ahead, DoD’s cloud contracts will be easily identifiable because they will come from a significantly smaller pool of vendors than if they were competed on the open market.