IGs seek better access to federal clouds

Shutterstock image: the data cloud connecting a number of global services.

The trouble started in 2006, when Chuck Coe, the assistant Inspector general for IT audits and computer crime at the Department of Education, had to issue a subpoena to a subcontractor to get access to IP addresses and diagrams from a subcontractor doing hosting for the agency. The subcontractor challenged Coe in court, out of concern that the investigation might compromise the security of other customers. Coe prevailed; the subcontractor unmingled the Education data from its public cloud and put them in their own environment.

The problem for Coe was that the process, from start to finish, took a year.

"You can rely on the IG Act to get access, but it is far better to have it in the contract language itself," Coe said in an interview with FCW.

This event stuck in Coe's mind as the government launched its cloud-first policy. He was concerned that IGs, general counsel staff and others charged with federal agency oversight could lose access to important information as it migrated into commercial cloud environments.

As chairman of the IT investigations subcommittee of the Council of Inspectors General on Integrity and Ethics, Coe led an effort to develop standard contract language for cloud computing services to go into the Federal Acquisition Regulations. The IGs need access to conduct their reviews of Federal Information System Management Act compliance, and for investigations.

The proposed FAR clause includes guarantees of physical access, documentation and system data for IGs, as well as notification in the event of any security incident that qualifies under the definitions laid out by the National Institute for Standards and Technology. The language would be required in any subcontract arranged by the prime contractor. The proposal is currently stalled at the FAR Council. Industry was not receptive to the request, Coe said.

Commercial cloud providers face a gray area when it comes to federal access to their systems. Vendors are obligated to look after the legal and constitutional rights of cloud tenants whose data is intermingled with that of federal users. Oversight officials, including IGs, say their mandate requires them to have physical access to any data center that has agency data, potentially putting them in a position to access information on non-federal users.

"This is a legal boundary that I don't believe was anticipated until someone actually bumped into it," said Trey Hodgkins, senior vice president at the Information Technology Alliance for Public Sector at the Information Technology Industry Council.

Paper laws for a tech age

A lack of oversight into agency cloud operations can have financial consequences.

At the Department of Veterans Affairs, a $36 million cloud deal was scuttled in 2013 in part due to a running disagreement between CIO Stephen Warren and acting IG Richard Griffin over the retention of email and overall access to cloud systems. The OIG at VA had shared Coe's draft language with the CIO's office when the cloud email project was still on the drawing board, but its provisions were not part of the final request for proposal issued by VA.

IGs who want to guarantee access to cloud environments must make their case internally. "That's the part your IG has to be mindful and aware of when these contracts are being considered, and engage the CIO or the contracting officer," Coe said. "You can do it at the agency level, but if it's in the FAR, a contractor can't argue with it," he said.

The military is trying to move the ball forward on cloud access. Jodi Cramer, a senior attorney at the Judge Advocate General of the Air Force, is leading a parallel effort to modify the Defense Federal Acquisition Regulation. Launched about a year ago, the DFAR modification effort is a piece of the overall Department of Defense-wide strategy to offer commercial cloud services to the military, led by the Defense Information Systems Agency.

We feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us.

This effort is in a pre-decisional stage, and it could be a year before a proposed rule is accepted by the Office of Management and Budget and put out for comment in the Federal Register. Cramer couldn't comment on the exact contract language she is seeking, but the effort tracks closely with a March 2014 update to DISA's cloud security model. Those guidelines specify that DoD agencies and law enforcement be granted physical access to data centers for audit purposes, FISMA compliance and IG investigations, and be permitted to copy or extract data as needed.

The DISA requirements state that cloud vendors "shall segregate the data and afford access to such information in a secure and private space, and without [vendor] presence, if requested." The document specifies additional requirements covering agency users, including compliance with federal records law, and the guarantees that law enforcement and auditing officials will be able to get data from systems without a warrant or subpoena.

Yet adapting Privacy Act and Inspector General Act rules to cover federal participation in the evolving commercial cloud industry is tricky.

"We're trying to fit laws based on paper into a technological age," Cramer said. At the same time, he said, "we feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us."

The Council of Inspectors General on Integrity and Ethics is preparing a survey on cloud contracts as part of a process that includes 20 IGs.

The CIGIE study is based on a 2013 survey NASA did of its cloud contracts that found wide variances in the costs and security controls of the space agency's cloud portfolio.

"I think [the CIGIE report] is going to be very eye-opening in terms of how well the federal government is doing in writing cloud contract language,” Coe said. “If the NASA report is any indication, then I think it's going to demonstrate that we have room for improvement." That report is due out later this summer.

Eroding leadership

Access to cloud environments by law enforcement is not just a federal agency issue.

While most government clouds are required to store data on systems in the continental United States, commercial clients can have data sprawling across the globe. Law enforcement and regulators are being challenged by commercial providers over requests for access to data – even under subpoena or search warrant.

Microsoft is fighting an order from a federal magistrate to turn over emails on a customer that are stored on a data center in Ireland. Microsoft argues that complying with the order "would violate international law and treaties, and reduce the privacy protection of everyone on the planet."

While the case doesn't directly bear on the issue of federal cloud contracts -- feds and contractors have no expectation of privacy while using federal systems -- it is interesting to see the cloud industry close ranks against the government in the wake of the Edward Snowden leaks.

U.S. cloud providers are concerned that surveillance by U.S. intelligence agencies is weakening them in the global market. The Information Technology and Innovation Foundation estimated last year that the Snowden revelations would cost the U.S. cloud industry $35 billion in lost business.

Microsoft's filing reflects this concern, saying that a government victory in this case would "ultimately erode the leadership of U.S. technology companies in the global market."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Jul 31, 2014 OldColdWarrior

The need for IG audit of public data leads into private data is asserted, but the words missing are those necessary to make the policy enforceable and the empowered overseers accountable to enforce the law. When public and private data rights are commingled then the law must clearly disambiguate their separation if the physical repositories are not separately implemented and auditable to protect private (commercial data rights owners) information. It is a tough nut to crack, and it requires clarity if it is to function and preserve confidentiality of the data owners, who are not direct accountable to FedRAMP once it enters the Government Cloud. This should make sense. Government Data Rights are not exclusively those that must be considered and protected by IG oversight and audit, anymore than are Tea Party confidential data for protection within the IRS. Consider this real world example and the fiasco we see daily in the media. It is essential to make sound and operative laws, not merely E.O.s on the whim of one individual.

Thu, Jun 26, 2014

This references one event in 2006 and that “you can rely on the IG Act to get access”. Given the small scope of a incidents (one listed) and the ability to execute the law, is a change to the FAR necessary? Why waste government money auditing contracts for clauses that appear to be “nice to have”? Audit the impact for following the IG Act and give it as advice to Congress. Congress then modifies the law. Government leadership issued a cloud first policy and the IG states they can still do the job, has leadership approved the changes to the FAR advocated here or been appraised of the impact? A reader can't tell leaderships position since many of the quotes are from those who give counsel, but don't have authority.

Thu, Jun 19, 2014 Ponzi

Doesn't this essentially kill FedRAMP? Or any effort to move Federal IT to commercial data centers? If the IG have their way, the Feds will have to buy their own huge data center, staff it with FTEE & even then segregate every agency's system from the next. Idiocy.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group