NASA Inspector General Paul K. Martin released an audit report today evaluating the Agency’s progress in adopting cloud-computing technologies. The Office of Inspector General (OIG) examined whether NASA has implemented an Agency-wide information technology (IT) governance model for cloud computing and also reviewed the Agency’s risk management practices for acquiring and securing cloud-computing services.
Cloud computing is an emerging form of delivering computing services by giving users access to scalable, on-demand IT capabilities over the Internet. Examples include Web-based e-mail and common business applications delivered online through a browser instead of by an agency data center. Moreover, the Office of Management and Budget requires agencies to adopt a “Cloud First” policy and evaluate cloud-computing alternatives before making new IT investments. The adoption of cloud-computing technologies has the potential to improve IT service delivery and reduce costs through faster deployment of computing resources and a decreased need to buy hardware or build data centers. For its part, NASA spends about $1.5 billion annually on its portfolio of IT assets, including more than 550 information systems that control spacecraft, collect and process scientific data, provide security for IT infrastructure, and enable Agency personnel to collaborate with colleagues around the world.
When transitioning to a cloud-computing model, Federal agencies may adopt a private cloud strategy in which they operate their own data centers or purchase cloud services from public providers. While the private cloud alternative enables agencies to manage their critical IT services and control access to sensitive data directly, these benefits come at the high cost of owning and operating data centers. Conversely, the public cloud alternative frees organizations from the expense of data center ownership but requires that they effectively manage contractor performance to ensure key business and IT security requirements are met. Effectively managing public cloud-computing services requires agencies to address business and security risks and properly define mechanisms to monitor agency and cloud provider responsibilities. Agencies must also have strong IT governance practices in place, including organizational control of and oversight over policies, procedures, and standards for IT service acquisition and monitoring.
The OIG review found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk. For example, several NASA Centers moved Agency systems and data into public clouds without the knowledge or consent of the Agency’s Office of the Chief Information Officer (OCIO). Moreover, on five occasions NASA acquired cloud-computing services using contracts that failed to fully address the business and IT security risks unique to the cloud environment. Finally, one of the two moderate-impact systems NASA moved to a public cloud operated for 2 years without authorization, a security or contingency plan, or a test of the system’s security controls. This occurred because the OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements.
Over the next five years, NASA projects that 75 percent of new IT programs could begin in the cloud, 40 percent of legacy systems could be moved to the cloud, and nearly 100 percent of the Agency’s public data may be stored in the cloud. As this migration occurs, it is imperative that NASA strengthen governance and risk management practices to safeguard data while effectively spending IT funds.
We made six recommendations to NASA’s CIO to strengthen governance of cloud computing, mitigate risks, and improve coordination between the OCIO and Centers when acquiring cloud computing services. The Agency concurred with our findings and recommendations.
The full report is available on the OIG’s website at http://oig.nasa.gov/ under “Reading Room” or at http://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf
For more information, please contact Gail Robinson at gail.a.robinson@nasa.gov or at (202) 358-1220.