Audit finds Commerce Department cloud contracts fail to meet FedRAMP requirements
An independent audit of the Commerce Department’s cloud computing contracts found services that did not comply with Federal Risk and Authorization Management Program (FedRAMP) along with other security-related deficiencies.
The Council of Inspectors General on Integrity and Efficiency (CIGIE), an independent entity consisting of all executive branch inspectors general, was appointed in November 2013 to evaluate cloud service contracts from 20 departments and agencies, including six from three different bureaus within the Commerce Department.
The report found four of the six contracts did not contain a clause under the Commerce Acquisition Regulation (CAR) that would allow Commerce’s OIG access to the contractor for purposes of a review. One contract also did not include a Federal Acquisition Regulation (FAR) clause that would give agency personnel access to infrastructure or materials needed to guard against security threats.
The report also found that only two of the cloud contracts met FedRAMP security authorization requirements, even though all had been cleared for use by the respective bureaus. The two that did meet FedRAMP deadlines — all cloud services were supposed to meet requirements by June 5 — each have provisional authority to operate.
The six cloud services used in the audit were Census Bureau’s contract with Akamai Technologies and GovDelivery, National Institute of Standards and Technology’s contracts with Microsoft Corp. and ServiceNow, and National Oceanic and Atmospheric Administration’s contracts with Google Inc. and Fiberlink, which is owned by International Business Machines Corp. These six contracts add up to more than $27 million in government spending.
The Census Bureau’s agreement with GovDelivery and NIST’s agreement with Microsoft were the only contracts highlighted in the report to include both CAR and FAR clauses. Census Bureau’s Akamai service and NIST’s Microsoft service are the only cloud service providers that meet FedRAMP requirements.
The report recommends that Commerce’s chief financial officer and assistant secretary for administration ensure that all future and existing contracts include the relevant clauses and any cloud services in use that do not meet FedRAMP requirements be continuously monitored for security risks.
In an agency response, Commerce CFO Ellen Herbst and Chief Information Officer Steven Cooper concurred with the report’s findings and plan to submit a corrective action plan to address the identified risks.