Many federal agencies have not fully considered and implemented existing guidance, agency policies, and best practices when developing requirements for cloud computing contracts, the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) IT Committee has said in a new report.
Some 59 cloud systems out of a sample of 77 commercial cloud contracts (issued as agencies transitioned to cloud systems) that CIGIE reviewed did not meet the requirement to become compliant with the Federal Risk Authorization and Management Program – FedRAMP, by June 5, 2014, even though the requirement was announced on December 8, 2011, according to the report.
It said as the IGs were validating their respective inventories, 9 of the 19 agencies found that they did not have an accurate and complete inventory of their cloud systems.
CIGIE concluded that these issues occurred because there is no single authoritative source detailing specifications for procuring cloud services, no enforcement body, and no risk of penalty for non-compliance.
The report recommended that OMB establish standardized cloud computing contract clauses; Determine how best to enforce FedRAMP compliance;Establish a process and reporting mechanism to requireservice providers to meet the FedRAMP authorization requirements in a timely manner; and, Incorporate routine reviews of agency information system inventories into the continuous monitoring process.
The report can be found here: http://www.ignet.gov/randp/rpts1.html#2014
