We reviewed four contracts that Department of the Interior (DOI) entered into with Cloud-computing providers, finding than none of these contracts had the controls needed to monitor and manage the providers, as well as DOI's data stored in their cloud systems. We recognize that DOI's adoption of Cloud-computing technologies can improve IT service delivery and reduce the costs of managing DOI's diverse programs, chiefly because Cloud-computing offers faster application of computing resources, decreased need to buy hardware or build data centers, and increased collaboration. Regardless of these positive benefits, a more service-oriented approach to managing and delivering IT services is needed, including changes to current centralized IT management and service delivery structures that rely on Cloud-computing service contracts.
We evaluated whether DOI's contracts met best practices for acquiring Cloud services. Specifically, we determined whether they identified the roles and responsibilities of individuals involved with the contracts, as well as how contractor performance is measured, reported, and enforced. We also assessed whether the contracts addressed Federal privacy, discovery, and data retention and destruction requirements, in addition to key IT security measures. None of the contracts we reviewed addressed these concerns.
Also, with no accurate inventory of its Cloud-computing services, DOI USGS and IT staff were unaware of the 16 public cloud services acquired by the Bureau through integrated charge card purchases. These ranged from a few dollars to more than $2,000 per month.
We offer six recommendations to help DOI mitigate business and IT security risks to strengthen Cloud-computing IT governance practices.