Federal agencies are putting sensitive data at risk according to a report released to the public on Thursday from the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) IT Committee. The report selected 77 commercial cloud contracts for review after 19 Offices of Inspector General (OIG) shared testing results.
Based on OIG reports there were 348 commercial cloud contracts with a value of about $12 billion dollars.
Although most commercial cloud contracts included some of the required items not a single one
included all of them. Over three-quarters of the contracts failed to meet FedRAMP standards which were required as of June 5th this year even though the requirement was announced on December 8, 2011. FedRAMP establishes a risk-based approach for federal agencies adopting and using cloud services which includes standardized security requirements.
The testing that the OIGs conducted as part of the CIGIE initiative indicated that participating Federal agencies have not fully considered and implemented existing Federal guidance, the agencies’ policies, and best practices when developing requirements for cloud computing contracts. The specificity of the requirements incorporated into the contract
s used to procure cloud systems varied across the sample, with all 77 contracts lacking the detailed specifications recommended in Federal cloud computing guidelines and best practices documentation.
In addition to putting agencies at a security risk, the faulty contracts may also cause the government to spend more taxpayer money. The CIGIE stated, “Furthermore, because 42 contracts, totaling approximately $317 million, did not include detailed SLAs specifying how a provider’s performance was to be measured, reported, or monitored, the agencies are not able to ensure that CSPs meet adequate service levels, which increases the risk that agencies could misspend or ineffectively use Government funds.”
The report also found that nearly half of the agencies did not have a clear picture of what cloud services are being used.