As the federal government transitions to cloud computing, organizations face challenges in four areas: ensuring cybersecurity, procuring cloud services, maintaining a skilled workforce, and tracking costs and savings . Our work in these areas and the implementation of our recommendations can help agencies overcome these challenges
The big picture
Federal agencies plan to spend billions of dollars each year to support their IT and cybersecurity efforts, including transitioning IT resources to secure and cost-effective commercial cloud services. Federal agencies can use cloud computing to access computing resources, such as servers that store digital files, through the Internet faster and for less money than it would take to own and maintain those resources.
Illustration of a cloud computing environment
What the GAO’s work shows
Our body of work highlights four key challenges to the federal government’s adoption of cloud services and our recommendations for improvement. Federal agencies have not fully implemented all recommendations.
1. Ensure cybersecurity
In 2011, the Office of Management and Budget (OMB) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach to selecting and authorizing the use of cloud services that meet security requirements federal.
In December 2019, we reported that while all 24 major federal agencies participated in FedRAMP, many of those agencies continued to use cloud services that were not permitted under the program. Additionally, the four major agencies we selected for detailed review did not always:
- include the required information in their cloud system security plans;
- summarize security control test results in security assessment reports; and
- identify information required in corrective action plans that should list cloud service deficiencies and how they will be mitigated.
We found that one of the causes of these weaknesses was that FedRAMP’s requirements and guidance on implementing these control activities were not always clear and that the program’s process for monitoring the status of controls security on cloud services was limited.
We recommended that the OMB holds agencies accountable for authorizing cloud services through FedRAMP. We made 24 additional recommendations to federal agencies regarding improving the implementation of the FedRAMP program, including clarifying guidance on program requirements and responsibilities.
2. Acquisition of cloud services
An important part of purchasing cloud services is incorporating a service level agreement into the contract. These agreements define the level of service and performance that the agency expects from the contractor. In April 2016, we reported that five of the top agencies we selected for review did not always incorporate key practices from these agreements into their cloud services contracts. For example, agencies did not always specify:
- what constitutes a security breach and responsibilities to notify the agency;
- how data and networks will be managed; and
- the range of enforceable consequences should the agreement be breached.
This was mainly due to the lack of guidance fully addressing key practices.
We recommended that four of the agencies develop guidance that fully incorporates key practices and that the fifth agency updates its guidance to include all key practices.
3. Maintain a skilled workforce
Having qualified IT personnel is essential to support the federal government’s cloud computing adoption efforts.
Illustration of a cloud computing workforce
Nonetheless, we reported cloud-related labor issues at three federal agencies.
- The Coast Guard did not include new cloud-related skills and a skills gap analysis for cloud personnel in its workforce development strategy.
- The Department of Defense (DOD) did not strategically plan to communicate with employees to prepare them for the changes that would occur due to the move to cloud services.
- The State Department’s strategic plan did not include performance measures, goals, or targets to monitor progress toward clarifying responsibilities and requirements needed to support the cloud environment.
We recommended that the Coast Guard, DOD, and Department of State take action by updating their strategic plans to address workforce issues related to cloud computing.
4. Track costs and savings
Federal policies and guidelines have emphasized the importance of reducing acquisition and operating costs by purchasing cloud services through the adoption of cloud computing. However, in April 2019, we reported that federal agencies were having difficulty tracking and reporting data on cloud-related spending and savings. For example, federal agencies often used inconsistent data to calculate cloud spend and were unclear about what costs they needed to track. Additionally, agencies struggled to consistently track savings data and reported that OMB guidelines do not require them to explicitly report savings from cloud implementations. We have reported that as a result, the cloud spend and savings figures reported by agencies are likely to be inaccurate.
We recommended that the OMB require agencies to explicitly report cloud-related savings, and that agencies establish a repeatable mechanism to track cloud-related savings and avoidance.
Learn more about GAO’s IT portfolio
For more information, contact Jennifer R. Franks at (404) 679-1831 or firstname.lastname@example.org.
#Cloud #Computing #Federal #Agencies #Face #Challenges