As the federal government increasingly turns to cloud computing for on-demand IT services, agencies need to strengthen service level agreements in their contracts with cloud providers or potentially risk security issues, according to the Government Accountability Office.
In a new report issued Thursday, Congress’ watchdog reviewed 21 cloud service contracts from the departments of Defense, Health and Human Services, Homeland Security, Veterans Affairs and Treasury, and found mixed progress by the agencies in meeting “key practices” identified by GAO.
Those practices, which were derived based on feedback from industry and government experts, include clearly defining roles and responsibilities of cloud providers and agencies, establishing performance standards and specifying security measures.
Part of the problem identified by GAO is that SLA guidance drafted by the Office of Management and Budget in 2012 was incomplete itself, only addressing seven of the 10 practices GAO has pinpointed.
“Without complete guidance from OMB, there is limited assurance that agencies will apply all the key SLA practices into their cloud computing contracts, and therefore may be unable to hold contractors accountable when performance falls short of their goals,” the report states.
With the exception of Treasury, the audited agencies agreed with GAO’s recommendations to shore up their SLAs in accordance with the watchdog’s new guidance.
OMB, however, did not comment on GAO’s recommendation to include all 10 GAO-approved key SLA practices in future guidance it releases.