recommended reading

Agencies aren’t providing enough details about future cloud moves, GAO says

T. L. Furrer/

Nineteen of 20 agency plans for future cloud computing projects are missing important elements, a watchdog said Wednesday.

For example, seven of the 20 blueprints submitted to the Office of Management and Budget do not include any cost estimates, according to the Government Accountability Office report. None of the 14 plans that involve migrating existing services to the cloud includes the cost of retiring or repurposing legacy systems, the watchdog said.

Without that information it’s not clear if the agencies will be able to wring all possible savings from the cloud projects, GAO said.

Technology officials have estimated the government can save $5 billion annually by moving 20 percent of its information technology infrastructure from agency-owned data centers to more nimble cloud computing.

All seven agencies that GAO surveyed had met OMB’s requirement for moving at least one service to the cloud by December 2011. They also planned to have at least three services functioning in the cloud by the end of 2012, though two agencies -- the Agriculture Department and the Small Business Administration -- said they missed OMB’s June deadline for that milestone.

The shift to cloud computing has been dogged by insufficient guidance on purchasing cloud technology and concerns about its security, GAO said.

The process of certifying cloud vendors also has been arduous, the report said, partly because the governing document -- the Federal Risk and Authorization Management Program, or FedRAMP -- is only in its early stages.

“For example, [General Services Administration] officials stated that the process to certify Google to meet government standards for their migration to cloud-based email was a challenge,” auditors said. “They explained that, contrary to traditional computing solutions, agencies must certify an entire cloud vendor’s infrastructure. In Google’s case, it took GSA more than a year to certify more than 200 Google employees and the entire organization’s infrastructure (including hundreds of thousands of servers) before GSA could use Google’s service.”

Cultural barriers also have been a challenge.

“For example, a State [Department] official explained that public leaks of sensitive information have put the agency on a more risk-averse footing, which makes it more reluctant to migrate to a cloud solution,” the report said.

GAO recommended the surveyed agencies “establish estimated costs, performance goals and plans to retire associated legacy systems” for cloud-based systems and “develop, at a minimum, estimated costs, milestones, performance goals and plans for retiring legacy systems.”

The agencies agreed with the recommendations with some qualifications.

The surveyed agencies were the Agriculture, Health and Human Services, Homeland Security, State and Treasury departments, and the Small Business Administration and General Services Administration.

(Image via T. L. Furrer/

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.