The Postal Service’s cloud computing contracts do not comply with all of its internal standards, the USPS inspector general has said in an audit looking into how well the agency is protecting data and its progress in moving towards cloud computing.
Specifically, the Postal Service has not defined “cloud computing” and “hosted services,” established an enterprise-wide inventory of cloud computing services, required suppliers and their employees to sign non-disclosure agreements, or included all required information security clauses in its contracts, according to the IG.
It also said that management did not appropriately monitor applications to ensure system availability, did not complete the required security analysis process for three cloud services reviewed, and did not follow Postal Service policy requiring cloud service providers to meet federal government guidelines.
This occurred because no group is responsible for managing cloud services, and personnel were not aware of all policy and contractual obligations, the IG said, adding that it estimates $33,517,151 in contractual costs for the Postal Service not following their policy and contract requirements.
The IG called on USPS management to define “cloud computing” and “hosted services,” develop an inventory of cloud services, monitor suppliers and require them to be certified, and revise contracts to include security clauses, among other recommendations.
