EPA’s cloud computing conundrum

An inspector general's report -- which has raised questions about whether the Environmental Protection Agency is on top of its various cloud initiatives -- is symptomatic of a larger problem across the federal government, says Alex Rossino, principal research analyst on Deltek's Federal Industry Analysis team.

"I think this situation points to the fact that despite the 'Stat' initiatives, agencies are still business as usual when it comes to managing IT assets," Rossino said.

The EPA's IG found that the agency didn't know when its offices were using cloud computing and that several of EPA's subcontracting processes for cloud projects were lacking." The IG report, released July 24, said the EPA needs to "strengthen its catalog of cloud vendors and processes to manage vendor relationships," in order to be compliant with federal security requirements.

The report comes two years after the EPA announced it would move 80 percent of its computing environments to the cloud by 2015. At the time, CGI Federal announced the $15 million, 3-year contract that would migrate 20 percent of EPA's environment to the cloud in the first year, and then 30 percent in years two and three. In 2012, Toni Townes-Whitley, senior VP at CGI, said EPA's move "is setting an impressive pace for cloud adoption."

However, the IG report suggests that the proper infrastructure wasn't in place to support that move.

"Technology is not the problem. It's easy to get into the cloud," Rossino said. "They don't have the processes in place to manage the investments. It's not just a cloud problem. It's a federal IT problem."

One solution, Rossinp said, would be to have a team or a person with responsibility for managing what is being moved to the cloud and what contracts are being used to manage it attached to every agency CIO. Automated cloud management software would also be a step in the right direction, he added.

Counting the clouds

The IG audit was based on results from a Council of the Inspectors General on Integrity and Efficiency survey on deployment of cloud computing technologies.

The EPA IG specifically looked into the contract for the Office of Water's Permit Management Oversight System.

The auditor found several problems, including a subcontractor not compliant with FedRAMP guidelines, and no assurance that "the EPA has access to the subcontractor's cloud environment for audit and investigative purposes."

Survey results found that there were 11 total IT cloud services at EPA. The IG said he lacked confidence that number was accurate, citing the way program offices collected information about how many cloud services were being offered.

The EPA's Office of Acquisition Management (OAM) indicated that the survey was "completed by performing a search for the word 'cloud' in the procurement description."

"As a result, the auditor concludes that regardless of whether a contract was a cloud contract, the contract would only be included on the list if the term 'cloud' appeared in the description of the procurement," the report said.

There is no database that specifically identifies "cloud" procurements, according to OAM.

During this process, the auditor found one application wrongly listed as a cloud application and two that appear to be cloud applications but weren't included in the survey results.