Federal agencies may spend as much as US$10 billion annually on cloud technology by 2018, as the government seeks to take advantage of the operational improvements and efficiencies attributed to the technology. However, deficiencies in contracting for cloud services could compromise the effectiveness of such investments, according to a recent government report.
Furthermore, reactions to proposed remedies have revealed some tensions over how to best manage federal cloud contracts.
The report flagged cloud contract deficiencies that affect information security, service level agreements, government investigators’ access to vendors, and contractor performance. The study, released in September, was conducted by the Council of the Inspectors General on Integrity and Efficiency, or CIGIE, an umbrella group whose members include the inspectors general at multiple cabinet departments and major federal agencies. The IGs closely examined 77 cloud service contracts with a total value of $1.6 billion, selected from a universe of 348 agreements.
“Without the ability to determine how the cloud service provider’s performance is measured, reported, or monitored, the government does not have the ability to ensure that CSPs are meeting required service levels, which increases the risk that agencies could misspend or ineffectively use government funds,” CIGIE said.
“Participating federal agencies have not fully considered and implemented existing federal guidance, the agencies’ policies, and best practices when developing requirements for cloud computing contracts,” the report notes.
Fifty-nine of the examined contracts did not meet a requirement to become compliant with the Federal Risk Authorization and Management Program by June of 2014, the IGs found. FedRAMP, administered by the General Services Administration, provides a uniform, government-wide cloud security protocol that will save each agency from the expense and effort of separately developing its own security measures.
OMB Asked to Fix Problems
CIGIE called upon the Office of Management and Budget to initiate corrective measures to address the gaps in cloud contracting.
“The major message of the CIGIE report is that business as usual has not so far resulted in adherence to established best practices or other requirements for cloud computing, timely adherence to FedRAMP requirements, or even accurate cloud systems inventories for the 19 departments and agencies reviewed. That is why we urge OMB to implement all of the recommendations in the report,” Kathleen Tighe, inspector general at the U.S. Department of Education and chair of the CIGIE information technology committee, told the E-Commerce Times.
CIGIE recommended that OMB take the following actions:
- Establish standardized contract clauses that agencies must use when adopting cloud computing technologies;
- Determine how best to enforce FedRAMP compliance;
- Establish a process and reporting mechanism to ensure federal agencies require CSPs to meet the FedRAMP authorization requirements in a timely manner; and
- Incorporate routine reviews of agency information system inventories into the continuous monitoring process.
The White House and OMB have been encouraging cloud adoption since February 2011, by urging agencies to give priority consideration to using the technology for IT projects under the Cloud First program. OMB has both budget authority and legal leverage through the Clinger-Cohen Act and other measures to impose requirements on agencies.
However, OMB did not wholeheartedly embrace the CIGIE recommendations in terms of immediately taking action, indicating that the IGs overlooked some measures agencies already have taken to address their concerns.
Top-Down Remedies Debated
For CIGIE, utilizing OMB’s ability to implement enforceable government-wide actions was a logical step, stemming from the report’s conclusion that cloud contract deficiencies “occurred in part because there is not a single, authoritative source that specifies the requirements agencies should consider when procuring cloud computing services and that requires federal agencies to incorporate those requirements into cloud computing contracts.”
However, a top-down approach involving mandates emanating from a central authority such as OMB may not suffice — and could be counterproductive. Responses to the notion of using centralized contracting practices revealed some inherent tensions that could be exacerbated in the cloud acquisition process.
“Government-wide standards are always attractive when considered without examining all their effects. The challenge is in applying the standards,” Kimberly McCabe, president and CEO at ASI Government.
While standardized contract clauses could be useful, mandated “one-size fits all” terms may not be appropriate and could create unnecessary costs for both agencies and vendors. The CIGIE approach could make cloud vendors wary of dealing with the government market, resulting in fewer vendor offerings to federal agencies, she noted.
Current federal acquisition practices fail to fully account for the change in IT procurement from a fixed cost environment to the IT rental or “by the drink” nature of cloud services, McCabe contended.
“Federal buyers are exercising creativity and innovation to honor the intent of the Cloud First policy, but the reality is that until consumption-based contract structures are available to acquisition professionals, agencies will continue to navigate a very gray area prone to second guessing,” she said.
Diffuse Platforms Present Challenge
While identifiable functions such as email systems or financial accounting programs can be migrated to cloud platforms, IT has become so embedded in government and commercial sector operations, that the process of isolating cloud components to ensure compliance with standardized contracting terms may be awkward to administer, McCabe noted.
“There likely are, or will be, cloud-enabled services in most federal programs and IT systems,” she observed. “With that being true, how will government-wide standards affect business arrangements where cloud-enabled IT services are only a component of the overall solution?”
The CIGIE’s recommendation that OMB require agencies to routinely conduct inventories of IT systems was based on a concern for protecting against cybersecurity breaches. However, the diffuse nature of federal cloud and IT deployments may undermine the value of compiling such inventories, said Dan Mintz, a former CIO at the U.S. Department of Transportation and now principal of ESEM Consulting.
“Too many resources are being spent trying to inventory the increasingly decentralized existence of IT. I suspect it would be better in the long term to use security continuous monitoring and access management to learn about usage, rather than develop a static census count that becomes out of date the moment it is completed,” he told the E-Commerce Times.
Vendors of cloud and related services will need to be aware of these contract governance factors in pursuing federal business. One method for dealing with the situation is to obtain FedRAMP certification through the GSA program.
GSA has moved recently to expand the roster of approved companies. However, the CIGIE committee was surprised, DoE’s Tighe said, that so many CSPs had not yet qualified for FedRAMP approval.