DOD lacks a standardized definition for cloud computing and an inventory to track cloud-based contracts.
One year later, that question remains unanswered, according to an IG audit released Dec. 28, which criticized the Pentagon for lacking a standardized definition for cloud computing and an inventory to track cloud-based contracts.
“Without an accurate status of existing cloud computing service contracts, the DOD CIO cannot determine whether DOD achieves savings or gains efficiencies to measure the effectiveness of the DOD cloud computing initiative, which might impact DOD’s cloud implementation efforts,” auditors concluded. “In addition, without knowing what data DOD components place on the cloud, DOD may not effectively identify and monitor cloud computing security risks.”
The IG originally sought to determine whether DOD components analyzed the costs and benefits of acquiring cloud services and whether components actually achieved cost savings.
Cloud computing is a nebulous term that essentially refers to the use of remote servers to manage, process or store data.
The federal government tends to refer to the National Institute of Standards and Technology’s definition to explain cloud computing, and that appears to be the course the DOD Office of the Chief Information Officer took, too. The NIST model for cloud computing is based on five characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service.
But various Defense components interpreted NIST’s cloud computing definition differently, leading to confusion, according to the audit.
Further, the DOD CIO lacked an “integrated repository” to track cloud computing service contract information across the department, according to the audit.
Representatives for the CIO shop told the IG reporting systems need significant improvement before they can provide “a good inventory of cloud computing activity.”
Currently, DOD reporting systems are not integrated, meaning it’s difficult for various components to have visibility across the department. Reporting system improvements are expected, but they likely won’t occur before fiscal 2016, the audit states.
Not surprisingly, the IG believes the Pentagon can’t track cloud computing cost savings if it can’t first track its cloud service inventory.
“DOD’s ability to track cloud computing cost savings and benefits is greatly limited if DOD is not aware what cloud computing service contracts exist within DOD,” the audit states.
The IG called on the CIO’s office to come up with a standard definition for cloud computing and to create a proper inventory of cloud service contracts. In a series of responses included in the audit, CIO officials contended the Pentagon had already taken steps to address those issues.
CIO officials specifically referred to a “cloud computing security requirements guide” released in 2015, which established a standard definition of cloud computing “and processes for assessing cloud security risks.”
The rebuttal did not sway auditors, however, who left the recommendation open.
This is the IG’s second consecutive critical audit on the Pentagon’s cloud use.
NEXT STORY: The Flaw in ISIS' Favorite Messaging App