Inspectors Find Big Gaps in Federal Cloud Contract Compliance

U.S. government agencies may be warming to the cloud, with ambitions to significantly boost investment in the technology over the next four years. However, many millions of dollars in federal cloud projects could be at risk both currently and in the future, as a result of flawed contract procedures.

Many agencies have had difficulty in meeting federal requirements and guidance covering cloud contracts with IT vendors, the Council of the Inspectors General on Integrity and Efficiency reported in September. CIGIE is an umbrella group whose members include inspectors general at multiple cabinet departments and major federal agencies.

The CIGIE expressed concern about cloud contract deficiencies affecting information security, service level agreement provisions, access to vendors by federal contract investigators, and contractor performance standards.

“Without the ability to determine how the cloud service provider’s (CSP) performance is measured, reported, or monitored, the government does not have the ability to ensure that CSPs are meeting required service levels, which increases the risk that agencies could misspend or ineffectively use government funds,” CIGIE said.

Inspected Contracts Valued at $1.6B

The 19 participating IGs selected a sample of 77 commercial cloud contracts that federal agencies issued as they transitioned to a cloud system. The total value of the contracts amounted to US$1.6 billion, from a universe of 348 contracts totaling about $12 billion. Each agency IG reviewed its sampled contracts independently, based on a standardized matrix of questions, and verified its results through its internal quality control processes.

“Participating federal agencies have not fully considered and implemented existing federal guidance, the agencies’ policies, and best practices when developing requirements for cloud computing contracts,” the CIGIE study revealed.

The specificity of contract requirements used to procure cloud systems varied across the sample, with all 77 contracts lacking the detailed specifications recommended in federal cloud computing guidance, the CIGIE reported.

Forty two contracts, with a total value of $317 million, “did not include detailed SLAs specifying how a provider’s performance was to be measured, reported, or monitored,” the audit showed.

As a result, “the agencies are not able to ensure that CSPs meet adequate service levels,” the report states.

In addition, 59 of the cloud systems reviewed by the IGs did not meet the government requirement to become compliant with the Federal Risk Authorization and Management Program, or FedRAMP, by June of 2014, even though the requirement was announced in December 2011. FedRAMP, which is administered by the General Services Administration, is designed to provide a uniform, government-wide cloud security protocol that will save each agency the expense and effort of separately developing its own cloud security standards.

Significant Element of Risk

Finally, nine of the 19 participating agencies did not have an accurate and complete inventory of their cloud systems, CIGIE found. Without such information, the agencies involved do not know the extent to which their data reside outside their own information system boundaries, subject to the inherent risks of cloud systems. The dangers include isolation failure, interception of data in transit, and insecure or ineffective deletion of data.

“These risks could expose agency data to unauthorized parties and potentially compromise the objectives of the agencies’ programs,” warns the CIGIE report.

As part of the CIGIE initiative, many IGs released separate reports specifically related to their own agency’s cloud contracting deficiencies. Among them:

• U.S. Postal Service: USPS examined four contracts covering three cloud applications with a total value of $33 million and found that all failed to fully comply with agency standards in at least one area. Specifically, the Postal Service has not defined ‘cloud computing’ and ‘hosted services,’ established an enterprise-wide inventory of cloud computing services, required suppliers and their employees to sign non-disclosure agreements, or included all required information security clauses in its contracts. In addition, management did not appropriately monitor applications to ensure system availability. USPS management also failed to complete the required security analysis process for three cloud services reviewed and did not follow policy requiring cloud service providers to meet federal government guidelines.
• U.S. Commerce Department: Six contracts with a total value of $26.8 million, involving Akamai, GovDelivery, Microsoft, ServiceNow, Google and Fiberlink, were examined. Four failed to follow departmental requirements for providing IG access to contractor facilities, documentation, databases and personnel, in order to carry out an inspection or other review of the contract.
• U.S. Energy Department: The department’s IG examined eight cloud contracts at six DOE or contractor locations with a total value of $30 million. DOE has “not always established contracts with cloud computing service providers that ensured effective controls over the management of stored or transmitted information,” auditors found, and it “did not always address key business and cybersecurity risks.” Deficiencies included failure of department personnel to arrange for access to the cloud service provider’s facilities, operations, documentation and databases.

Several government resources, including GSA, the Chief Information Officers Council, and the National Institute of Standards and Technology, have provided extensive cloud contracting advice for agencies. For a variety of reasons, that advice is not always followed — indicating that a stronger mechanism is needed, the report notes.

“The deficiencies that the IG report discovered, unfortunately, do exist,” Dan Mintz, a former CIO at the U.S. Department of Transportation and principal of ESEM Consulting, told the E-Commerce Times.

While federal cloud adoption is a continuing work in progress, the findings of the report were “somewhat of a surprise,” according to Kathleen Tighe, inspector general at the U.S. Department of Education and chair of the CIGIE information technology committee.

“There is always a learning curve as agencies migrate to new technologies. However, agencies have been migrating to cloud environments for more than five years. In addition, many agencies have been using contractor provided non-cloud systems for many years, which would require similar contract clauses to ensure the government’s best interests are maintained,” she told the E-Commerce Times.

Accountability Needs Bolstering

A recurring theme in the audit from CIGIE, as well as individual agency IG reports, is the lack of an authoritative regime to ensure that important contractual elements are incorporated government-wide in cloud vendor agreements.

For example, deficiencies occurred “because no group is responsible for managing cloud services, and personnel were not aware of all policy and contractual obligations,” says the report issued by the IG for the USPS.

“There is no single authoritative source that details the specifications agencies should consider when procuring cloud computing services and that requires federal agencies to incorporate those specifications into cloud computing contracts,” CIGIE noted in the summary report.

The Office of Management and Budget, which has government-wide jurisdiction over federal IT programs through the Clinger-Cohen Act and other measures, should adopt enforceable standards that address the deficiencies it discovered, CIGIE recommended.

“OMB is the right place to provide oversight to put something in place, because in the end it is the most authoritative executive branch location regarding budget authority. Guidance regarding contract standards is workable, so long as it is tied in some fashion to budget approval. If it is not, then it is merely a notion, not a plan,” Mintz said.

“On the other hand, IT is always changing, and cloud adoption is becoming more diffuse in the federal government as well as the commercial sector, often as a component of a larger IT project — so that would present a challenge to OMB,” he pointed out.

“If reforms are needed, OMB would be the appropriate place because of its central role,” Izella Dornell, deputy CIO for management and business operations at the U.S. Commerce Department, told the E-Commerce Times at a recent industry forum, “but it should be a collaborate effort with the agencies and the federal CIO council.”