The Environmental Protection Agency doesn’t know how many cloud computing contracts it currently holds nor is it aware of how secure they are, according to a report from the agency’s Office of the Inspector General.
The EPA IG report also says the agency is using services from a subcontractor that is not compliant with the Federal Risk and Authorization Management Program (FedRAMP) and may not be able to access the actual hardware for investigative purposes.
“Our audit work disclosed management oversight concerns regarding the EPA’s use of cloud computing technologies,” states the report state, released last week. “These concerns highlight the need for the EPA to strengthen its catalog of cloud vendors and processes to manage vendor relationships to ensure compliance with federal security requirements.”
The audit found, for instance, that agency reported an inaccurate amount of cloud computing contracts — listed as 11 — because the reporting office only selected contracts with “cloud” in their description.
“During the audit, the auditor became aware of one application incorrectly listed as a cloud application and two applications that appear to be cloud applications not included in the survey results,” the report read.
The audit then focused on one system in the agency’s Office of Water’s Permit Management Oversight System, which has been hosted by a subcontractor since 2012. The IG found that the EPA failed to secure a terms of service contract or sign a non-disclosure agreement with the cloud service provider, relying on a service agreement with the primary vendor instead.
As to why the system did not comply with FedRAMP cloud security provisions, the EPA said the procurement was intended to “develop, maintain, and revise” old systems rather than spend money on new ones, with the solution including some cloud-related technology.
“Although, the EPA did not intend to procure a cloud service, the agency accepted a contract whose technical solution included the cloud,” the report says. “As a result, the auditor concludes that the contract should have included terms and conditions specifically on the performance of cloud services for those parts of the contract hosted in the cloud.”
While the EPA called the report “factually correct,” Craig Hooks, assistant administrator in the EPA’s Office of Administration and Resources Management said the IG took a “narrow approach” to its audit, explaining the process behind what the report found.
“…the performance work statement solicited under the [blanket purchase agreement] did not contain a cloud services requirements and was not considered a cloud contract,” Hooks said in response letter to the audit. “However, in response to the solicitation, vendors proposed their best technical solutions for completing performance work statement tasks, and the awardee offered a technical solution that included the cloud, which was provided under a subcontract. Because of the aforementioned circumstances surrounding this procurement, the primary order did not contain cloud specific terms and conditions such as terms of service clauses and service level agreements.”
Hooks said the EPA plans to “evaluate its management controls to make sure our contracts are adhering to federal and EPA policies, procedures, and guidance with regards to cloud computing.”