Audit Reports
DOT Lacks an Effective Process for Its Transition to Cloud Computing
View PDF DocumentSummary
DOT has taken steps to transition to cloud computing, such as establishing a multi-modal Cloud Working Group, but it has not taken other actions needed to ensure an effective transition. For example, the Department has not established or updated its guidance on contracting for IT services to include cloud systems. Consequently, the guidance does not include requirements for specific contract clauses needed to ensure that cloud service providers keep agencies’ data secure and available, such as provisions that cover maintenance of data integrity, accessibility, and confidentiality. Each of the Department’s cloud contracts lacks at least one of these provisions. Additionally, the Department has not established standards for assessing the costs and benefits of cloud systems. As a result, Operating Administrations cannot determine whether moving to the cloud is cost effective and could achieve expected benefits.
DOT’s oversight of its cloud systems is also ineffective. The Department has not established an accurate inventory of cloud systems—a requirement for effective information system risk management. The Department reported 14 cloud systems. but only 11 were actual cloud systems. Of these 11 systems, only 5 were correctly identified in the Department’s inventory of IT systems. Four were identified as non-cloud systems, and 2 were not in the inventory at all. As a result of the inaccurate inventory, officials that authorize the use of cloud systems lack information needed to make informed decisions. Furthermore, the Department’s cloud systems did not meet the requirements of the Federal Risk Authorization and Management Program, which provides a standardized approach for security assessment of cloud systems and authorization of their use. The Program required security at all Federal cloud systems to be compliant with its guidelines by June 2014.
We made four recommendations to help improve contracts covering cloud computing and the Department’s oversight of the transition. The Department concurred with our recommendations.