Federal agencies are putting sensitive data at risk according to a report released to the public on Thursday from the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) IT Committee. The report selected 77 commercial cloud contracts for review after 19 Offices of Inspector General (OIGs) shared testing results. Based on OIG reports there were 348 commercial cloud contracts with a value of about $12 billion dollars.
Although most commercial cloud contracts included some of the required items not a single one included all of them. Over three-quarters of the contracts failed to meet FedRAMP standards which were required as of June 5th this year. FedRAMP establishes a risk-based approach for federal agencies adopting and using cloud services which includes standardized security requirements.
As more government agencies move services due to the cloud first initiative in the US, Australia and the UK, providers able to easily adhere to federal guidelines and mitigate security concerns will have a clear advantage.
“FedRAMP’s purpose is to ensure that cloud-based services have an adequate information security program that addresses the specific characteristics of cloud computing and provides the level of security necessary to protect government information,” according to the CIGIE report. “The failure of the cloud system to address and meet FedRAMP security controls increases the risk that Federal program data may be compromised, intercepted, or lost, which could expose the data to unauthorized parties.”
With recent cybersecurity breaches at huge companies such as JP Morgan, Target, Home Depot, Kmart and Dairy Queen, the public is becoming more aware of the risk of hackers and malware putting their private data in danger.
In addition to putting agencies at a security risk, the faulty contracts may also cause the government to spend more taxpayer money. The CIGIE stated, “Furthermore, because 42 contracts, totaling approximately $317 million, did not include detailed SLAs specifying how a provider’s performance was to be measured, reported, or monitored, the agencies are not able to ensure that CSPs meet adequate service levels, which increases the risk that agencies could misspend or ineffectively use Government funds.”
The report also found that nearly half of the agencies did not have a clear picture of what cloud services are being used. “Without accurate and complete inventories, the agencies involved do not know the extent to which their data reside outside their own information system boundaries and are subject to the inherent risks of cloud systems.” the report stated. Lack of complete inventory was due to manual reporting (human error) and agencies not applying a consistent definition of cloud computing.