The Defense Department has no way of knowing exactly how many cloud computing contracts are in place throughout the department and isn’t sure what data component agencies are moving to the cloud, according to a new report from the department’s Inspector General.
The findings raise serious questions about the Pentagon’s ability to measure cost savings from migrating to the cloud and even bigger concerns about security.
It’s time for the Pentagon to clean up its act on cloud computing, the IG said.
In a critical report dated Dec. 28, 2015, the IG said DoD’s CIO did not maintain a list of computing services contracts, did not establish a standard for departmentwide definition for cloud computing, did not have an integrated repository to keep track of cloud-computing contracts, and could not provide a reliable list of cloud contracts between FY2011 and 2014.
There were other mistakes, too. There were contracts with the wrong identifying numbers. There were contracts for services that could have been used by other DoD services and offices, but no one knew about them. And various military branches were confused about what constitutes a cloud computing service and how to use various cloud computing contracts.
The IG also said the Pentagon flunked on determining cost savings and security risks.
“DoD cannot determine whether it’s achieved actual cost savings or benefits from adapting cloud computing services. In addition, without knowing what data DoD components place on the cloud, DoD may not effectively identify and monitor cloud computer security risks,” the IG said.
The IG recommended that DOD issue its own departmentwide standard for cloud computing and establish a repository that provides transparency into the cloud computing services across DoD.
David DeVries, the principal deputy DoD chief information officer who responded for the CIO, neither agreed nor disagreed with the report.
The deputy said that the DoD CIO has already taken action to address the recommendation. Before the report was released, the DoD CIO published a standard definition of cloud as well as requirements and processes for assessing cloud security risks.
But the IG said that response was not good enough and asked for additional comments in response to the report.
“The comments did not include the type of information it will collect or a description of the enhancements. … It was unclear what enhancements were made to the system,” the IG said. “The CIO needs to establish a repository that can effectively gather, maintain, and report on cloud computing services acquired.”
Read the full report here.