Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028)



Similar documents
Office of Inspector General Audit Report

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Seeing Though the Clouds

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Management of Cloud Computing Contracts and Environment

PATRICKE.McFARLANDt:j?~~ (.?IJ~L...J Inspector General f/ ~~~~~'~...-\

Final Audit Report. Report No. 4A-CI-OO

Cloud Computing. Report No. OIG-AMR UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

Overview. FedRAMP CONOPS

Final Audit Report -- CAUTION --

July 22, Serious Concerns Regarding the Office of the Chief Information Officer

Office of Inspector General

Cloud Computing Contract Clauses

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT. Wash ington, DC MEMORANDUM FOR JOHN BERRY / / J Director ~ p to-

POSTAL REGULATORY COMMISSION

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Fiscal Year 2007 Federal Information Security Management Act Report

INSPECTION CLOUD COMPUTING SECURITY DOCUMENTATION IN THE CYBER SECURITY ASSESSMENT MANAGEMENT SOLUTION

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits

How To Check If Nasa Can Protect Itself From Hackers

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. September 24, 2010

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

FSIS DIRECTIVE

How To Manage Cloud Computing In The United States Of American Agriculture

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE

NUMBER OF MATERIAL WEAKNESSES

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Creating Effective Cloud Computing Contracts for the Federal Government

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Evaluation Report. The Social Security Administration s Cloud Computing Environment

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

The Cloud Seen from the U.S.A.

Federal Risk and Authorization Management Program (FedRAMP)

INFORMATION MANAGEMENT

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

EPA Needs to Strengthen Its Privacy Program Management Controls

Office of Inspector General

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Software Contract and Compliance Review

How To Use Cloud Computing For Federal Agencies

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Smithsonian Institution

COTS/SaaS Acquisition Information Form

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Security Control Standard

OFFICE OF INSPECTOR GENERAL

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

OPM System Development Life Cycle Policy and Standards. Table of Contents

2008 FISMA Executive Summary Report

Incident Management. Verdis Spearman

NASA Information Technology Requirement

Chairman Johnson, Ranking Member Carper, and Members of the committee:

This Instruction implements Department of Homeland Security (DHS) Directive , Privacy Policy for Operational Use of Social Media.

Office of Inspector General

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

PROCUREMENT. Actions Needed to Enhance Training and Certification Requirements for Contracting Officer Representatives OIG-12-3

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

DEPARTMENTAL REGULATION

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

How To Audit The National Security System

VA Office of Inspector General

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

NASA S PROCESS FOR ACQUIRING INFORMATION TECHNOLOGY SECURITY ASSESSMENT AND MONITORING TOOLS

Cloud Security for Federal Agencies

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

I. U.S. Government Privacy Laws

Cloud Assessments. Federal Computer Security Managers Forum. John Connor, IT Security Specialist, OISM, NIST. Meeting.

Strategic Plan Network Optimization & Transport Services

Security Authorization Process Guide

FedRAMP Standard Contract Language

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI Date:

Audit of Veterans Health Administration Blood Bank Modernization Project

Memorandum. Audit Report No.: OAS-L REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE

Department of Homeland Security Office of Inspector General

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. September 22, 20 14

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Department of Homeland Security

Working for America s Workforce

Information Assurance in the Cloud

Office of Audits and Evaluations Report No. AUD The FDIC s Controls over Business Unit- Led Application Development Activities

EPA Needs to Improve the Recognition and Administration of Cloud Services for the Office of Water s Permit Management Oversight System

CIOP CHAPTER Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS. Section Purpose

CLOUD COMPUTING. Additional Opportunities and Savings Need to Be Pursued

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

NASA OFFICE OF INSPECTOR GENERAL

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

FEDERAL ELECTION COMMISSION OFFICE OF INSPECTOR GENERAL

Transcription:

MEMORANDUM FOR KATHERINE ARCHULETA Director FROM: SUBJECT: PATRICK E. McFARLAND Inspector General Status of Cloud Computing Environments within OPM (Report No. 4A-CI-00-14-028) The purpose of this memorandum is to communicate to you the results from our review of the contracts for cloud computing information systems used by the U.S. Office of Personnel Management (OPM). We submitted our conclusions and recommendations to OPM s Office of the Chief Information Officer (OCIO) representatives to elicit their comments. The OCIO s comments are included within this memorandum. Executive Summary Our review indicated that the language in OPM s current cloud computing contracts does not adhere to established best practices. We also determined that the Cloud Service Providers (CSP) hosting OPM systems are not certified or authorized in accordance with the Federal Risk and Authorization Management Program (FedRAMP) requirements. As a result, we recommend that the contract language for cloud computing services be updated, and that OPM contract only with CSPs that are in compliance with FedRAMP. Background The OPM Office of the Inspector General (OIG) volunteered to participate in a government-wide review of cloud computing environments that was led by the Council of Inspectors General on Integrity and Efficiency. The review had two main purposes: 1) to review current agency cloud computing contracts for compliance with best practices established by the Chief Information Officers (CIO) Council and Chief Acquisition Officers Council and, 2) to determine if agency systems used FedRAMP to acquire and authorize cloud services. Scope and Methodology To perform our review we evaluated the contracts for a sample of OPM information systems that use CSPs to host applications. We also interviewed individuals from OPM s Contracting Office, program office officials that use cloud-based systems, and OPM s Chief Information Security Officer.

Honorable Katherine Archuleta 2 Our review was not conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). The nature and scope of the work performed was consistent with that expected of a GAGAS audit; however, because we consider this to be a review, the documentation, reporting, and quality control standards are not as stringent. Review Results Our review indicated that OPM s cloud computing contracts do not adhere to established best practices. We also determined that CSPs hosting agency systems are not certified or authorized by FedRAMP. a) Cloud Service Provider Procurement and Contract Formation The CIO Council and Chief Acquisition Officers Council published a document titled Creating Effective Cloud Computing Contracts for the Federal Government that establishes best practices for acquiring information technology (IT) as a service. The document establishes the following areas that should be addressed when creating a cloud computing contract: Selecting a cloud service; CSP and end-user agreements; service level agreements; CSP, agency, and integrator roles and responsibilities; standards; security; privacy; e-discovery; Freedom of Information Act; and federal e-records management We reviewed a sample of agency cloud computing contracts and determined that none of them incorporated all of these best practices. Over the last few years, the OCIO has worked with the Contracting Office to incorporate new language into contracts for IT services to enforce Federal Information Security Management Act requirements. However, the new language does not adequately address cloud services for the areas listed above. Failure to incorporate cloud specific language into agency contracts has multiple risks. For instance, there is an increased risk that data ownership is not adequately established, which could allow a cloud provider to have unnecessary access to sensitive federal data. Also, failure to define security standards and testing requirements increases the risk of a data breach, which could lead to the loss or corruption of sensitive federal data. Recommendation 1 We recommend that the OCIO work with OPM s Contracting Office to review cloud computing contract best practices, and incorporate appropriate language into future contracts for cloud services. We also recommend that the Contracting Office assess the feasibility of incorporating the updated contract language into existing contracts for cloud services.

Honorable Katherine Archuleta 3 The CIO believes that while existing security contract language that goes into all IT contracts [is] aligned with OPM security policy and FISMA requirements, it would enhance security to incorporate additional language to specifically address Cloud environments. As part of the recommendation resolution process, please provide OPM s Internal Oversight and Compliance division with evidence supporting the corrective action taken. b) FedRAMP Compliance In December 2011, the Office of Management and Budget (OMB) released a memorandum addressing the security authorization process for cloud computing services. The memorandum requires all federal agencies to use FedRAMP when procuring and subsequently authorizing cloud computing solutions effective June 5, 2014. Specifically, each agency must do the following: Use FedRAMP when authorizing cloud services; Use the FedRAMP process and security requirements as a baseline for authorizing cloud services; Require CSPs to comply with FedRAMP security requirements; Establish a continuous monitoring program for cloud services; Ensure that maintenance of FedRAMP security authorization requirements is addressed contractually; Require that CSPs route their traffic through a Trusted Internet Connection; and Provide an annual list of all systems that do not meet FedRAMP requirements to OMB. We determined that no OPM cloud-based systems are currently using FedRAMP approved CSPs. However, several systems are using FedRAMP accredited third party assessment organizations to perform security control testing. While this type of testing does not satisfy FedRAMP requirements, it provides an additional level of assurance that the systems security controls are adequately tested. We reviewed OPM s Information Security and Privacy Policy Handbook to determine what guidance is available related to cloud computing. While cloud computing is addressed, FedRAMP requirements are not incorporated into OPM policy or procedures. We were told that the OCIO is in the process of updating the Information Security and Privacy Policy Handbook and that FedRAMP will be addressed, but they are not complete at this time. Failure to comply with FedRAMP requirements increases the risk that information systems security controls will not be adequately tested, which could lead to a data breach and the loss or corruption of sensitive federal data. Recommendation 2 We recommend that the OCIO update its cloud computing policies and procedures to incorporate FedRAMP requirements.

Honorable Katherine Archuleta 4 Cloud Computing security policies are documented in the OPM Security Handbook. The available FedRAMP material on cloud computing [consists] of procedures and templates which typically would not be added to a security policy. We will review the FedRAMP Material and make a determination how best to incorporate [it] into OPM security procedures. While we agree that cloud computing security policies are documented in the OPM Information Security and Privacy Policy Handbook, FedRAMP requirements are not addressed. At a minimum, we would expect the policy to require all agency systems to use FedRAMP compliant CSPs when acquiring cloud services. Recommendation 3 We recommend that the OCIO require all program offices with cloud-based systems to use CSPs that are FedRAMP compliant. It s our policy to use FedRAMP Cloud Service Providers (CSP) for new or renewing cloud services when feasible. FedRAMP CSPs are currently accredited at the FIPS-199 moderate level and therefore cannot host OPM s high systems. There is also the issue [of] FedRAMP delays in [processing] applications for new cloud services and the impact on the ability for program offices to execute their missions. We have approached FedRAMP in the past to host OPM systems and [were] told that it would take almost a year to join the program because of a backlog of agencies waiting to join the program. We understand that the process for a CSP to obtain FedRAMP compliance takes time and that it may be difficult for a program office to change CSPs. However, the OMB memorandum establishing FedRAMP and the requirement that each agency use FedRAMP compliant CSPs was published in December 2011. The intent of the recommendation is for OPM to enforce the requirements established by OMB.

Honorable Katherine Archuleta 5 Please contact me on 606-1200 if you have any questions, or your staff may wish to contact Michael R. Esser, Assistant Inspector General for Audits, on. cc: Ann Marie Habershaw Chief of Staff and Director of External Affairs Donna K. Seymour Chief Information Officer Mark W. Lambert Associate Director Merit Systems Accountability and Compliance Janet L. Barnes Director Internal Oversight and Compliance Chief, Policy and Internal Control

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information