The language in OPM’s current cloud computing contracts does not adhere to established best practices, and the cloud service providers hosting OPM systems are not certified or authorized in accordance with the Federal Risk and Authorization Management Program requirements, the OPM inspector general has said
Based on a sample of agency cloud computing contracts the IG determined that none of them incorporated all best practices outlined by the CIO Council and Chief Acquisition Officers Council in their “Creating Effective Cloud Computing Contracts for the Federal Government” document. The document covers areas including security, privacy, cloud-service selection and end-user agreements.
The IG recommended that the contract language for cloud computing services be updated, and that OPM contract only with CSPs that are in compliance with FedRAMP.
OPM said it is in fact their policy to use FedRAMP cloud service providers for new or renewing cloud services when feasible, but noted that FedRAMP CSPs are currently accredited at the FIPS-199 moderate level and therefore cannot host OPM’s high systems.
