The United States Postal Service did not comply with its established standards on cloud computing, according to a report from the agency’s inspector general.
Released Sept. 4, the report said the agency spent more than $33 million while not following its policy and contract requirements.
“Without proper knowledge of and control over applications in the cloud environment, the Postal Service cannot properly secure cloud computing technologies and is at increased risk of unauthorized access and disclosure of sensitive data,” the report said.
In response to the USPS Office of the Inspector General’s findings, Postal Service management agreed the agency needed to take better accountability over cloud computing software. However, management also said it believed the OIG’s financial risk assessment was inaccurate.
“Management stated they have recognized the need to address issues surrounding cloud computing services and drafted a handbook on cloud computing policy,” the report said.
Under the Postal Service’s current policies, established cloud service providers must already be FedRAMP certified to ensure information security.
“While aspects of cloud characteristics have been realized, cloud computing remains a work in progress,” the report said.
The OIG conducted the audit report because the Council of Inspectors General on Integrity and Efficiency’s (CIGIE) information technology committee asked IGs to evaluate the agency’s cloud computing contracts.
“Our objective was to determine if the U.S. Postal Service’s cloud service contracts comply with applicable standards and evaluate management’s efforts to adopt cloud computing technologies,” the report said.
The CGIE’s IT committee released a report in 2011 addressing the seven areas of cloud concern in government. Since then, the council has encouraged agency IGs to investigate the use of cloud technology at the agencies they inspect.
Under CGIE, the USPS OIG follows the cloud computing definition established by the National Institute of Standards and Technology. One of the OIG’s concerns though is that the Postal Service itself has not yet established a definition of cloud computing, despite creating a cloud security policy.
“The Postal Service has not clearly defined the terms ‘cloud computing’ and ‘hosted services,’” the report said. “Rather, the policy provides an overview of cloud computing initiatives and lists general roles and responsibilities; therefore, management and personnel in various functional areas have different interpretations of cloud computing and its associated capabilities.”
In addition to a lack of definition, the agency also had no concrete list of cloud-based systems, the report said. The OIG reviewed the Contract Authoring and Management System and the Enterprise Information Repository and could not find a tool identifying whether or not contracts or services were cloud-based.
“We attempted to develop a list of cloud computing services; however, knowledge of cloud computing services and contracts is dispersed among various groups, and the Postal Service’s IT and Supply Management groups did not always agree on which applications were cloud services,” the report said.
The report also said during the OIG’s audit USPS management was working on a cloud computing policy dated for June 2014; however, as of the issuance of the report and as of publication time, the policy had not been issued.
According to the report, the policy, which will be released by Oct. 31, 2014, would define cloud computing at USPS, as well as list the roles and responsibilities for cloud computing procedures.
In addition, the report recommended that USPS Vice President of IT John Edgar, Chief Information Security Officer Chuck McGann and Vice President of Supply Management Susan Brownell assign a group of staff the responsibility for cloud service management.
According to the report, that recommendation will be in place at USPS by the end of the year.
