Challenges in the IRS Enterprise Cloud Management Program

The Inflation Reduction Act in 2022 authorized nearly $80B in supplemental funding (down to $60B upon last year’s debt ceiling deal) for the Internal Revenue Services (IRS). Of that, the tax agency is dedicating almost $5B towards modernization efforts, including increased cloud migration.

Under these conditions the IRS’ inspector general, TIGTA, evaluated the agency’s capacity to manage cloud services and applications. Upon assessment of 34 cloud applications in the Enterprise Cloud Program, the audit found weaknesses in IRS’ monitoring of the program, ranging from failure to track all cloud services contracts, to applying the proper processes and approvals for cloud applications.

Specifically, the recent report identified cloud managed services contracts missing for two applications at IRS. Moreover, TIGTA was unable to identify the cloud services contract value of 45% of cloud applications at the agency.

According to the report, the results of these flaws include, “the risk of potential lost cost savings and duplication of cloud services as well as making uninformed financial decisions.”

Consequently, TIGTA makes several recommendations to the Chief Procurement Officer, including to develop a process to track and store cloud services contracts, provide contract coding and categorization training to contracting officers, and guarantee specific contract values and obligations are readily identifiable.

Additional findings on contracting, management and oversight challenges in IRS’ Enterprise Cloud Program include:

Audit Findings	Recommendation
The IRS does not use Service Level Agreements (SLAs) consistently to track the performance of cloud services contracts, which prevents the agency from addressing potential issues that may affect the quality of the services.	Contracting officers should consistently incorporate SLAs into cloud services contracts and include penalties for not meeting performance.
All 34 IRS applications operating in the cloud did not complete a Cloud Front Door (CFD) process, with 88% of audited applications bypassing the CFD and 12% of applications only starting the CFD. The process ultimately ranks the application’s value, provides approval for FedRAMP requirements, and attains Cloud Governance Board approval.	The Chief Information Officer should require that applications migrating to the cloud be processed by IRS’ new Enterprise Cloud Architecture and Design office and approved by the governance board.
TIGTA found an inaccurate inventory of cloud applications, discovering a discrepancy of 29 applications from two of IRS’ Cloud Application Inventory Reports.	Centralize cloud application inventory reporting.
The IRS CIO did not document FedRAMP continuous monitory security reviews for 67 applications in FY 2022.	Ensure new guidance on documenting FedRAMP continuous monitoring is implemented.

According to the report, these shortcomings combined create confusion and inefficiencies for applications migrating to the cloud, with the agency unable to manage and maintain the risk of cloud applications. Given the amount of modernization money coming to the IRS by recent legislation, this puts oversight officials on high alert. The Chief Procurement Officer and Chief Information Officer agreed with all 12 recommendations in the report, supporting the development of a tracking process for cloud services contracts with requirement descriptions and contract values, as well as implementing policy requiring all applications migrating to the cloud to follow a centralized process and review for effective management and monitoring of the applications.