EPA’s cloud computing conundrum

Shutterstock image: minimalist image of data-driven cloud technology.

An IG report critical of the agency's handling of its cloud services shows a "business as usual" approach to managing assets, says a Deltek analyst.

An inspector general's report -- which has raised questions about whether the Environmental Protection Agency is on top of its various cloud initiatives -- is symptomatic of a larger problem across the federal government, says Alex Rossino, principal research analyst on Deltek's Federal Industry Analysis team.

"I think this situation points to the fact that despite the 'Stat' initiatives, agencies are still business as usual when it comes to managing IT assets," Rossino said.

The EPA's IG found that the agency didn't know when its offices were using cloud computing and that several of EPA's subcontracting processes for cloud projects were lacking." The IG report, released July 24, said the EPA needs to "strengthen its catalog of cloud vendors and processes to manage vendor relationships," in order to be compliant with federal security requirements.

The report comes two years after the EPA announced it would move 80 percent of its computing environments to the cloud by 2015. At the time, CGI Federal announced the $15 million, 3-year contract that would migrate 20 percent of EPA's environment to the cloud in the first year, and then 30 percent in years two and three. In 2012, Toni Townes-Whitley, senior VP at CGI, said EPA's move "is setting an impressive pace for cloud adoption."

However, the IG report suggests that the proper infrastructure wasn't in place to support that move.

"Technology is not the problem. It's easy to get into the cloud," Rossino said. "They don't have the processes in place to manage the investments. It's not just a cloud problem. It's a federal IT problem."

One solution, Rossinp said, would be to have a team or a person with responsibility for managing what is being moved to the cloud and what contracts are being used to manage it attached to every agency CIO. Automated cloud management software would also be a step in the right direction, he added.

Counting the clouds

The IG audit was based on results from a Council of the Inspectors General on Integrity and Efficiency survey on deployment of cloud computing technologies.

The EPA IG specifically looked into the contract for the Office of Water's Permit Management Oversight System.

The auditor found several problems, including a subcontractor not compliant with FedRAMP guidelines, and no assurance that "the EPA has access to the subcontractor's cloud environment for audit and investigative purposes."

Survey results found that there were 11 total IT cloud services at EPA. The IG said he lacked confidence that number was accurate, citing the way program offices collected information about how many cloud services were being offered.

The EPA's Office of Acquisition Management (OAM) indicated that the survey was "completed by performing a search for the word 'cloud' in the procurement description."

"As a result, the auditor concludes that regardless of whether a contract was a cloud contract, the contract would only be included on the list if the term 'cloud' appeared in the description of the procurement," the report said.

There is no database that specifically identifies "cloud" procurements, according to OAM.

During this process, the auditor found one application wrongly listed as a cloud application and two that appear to be cloud applications but weren't included in the survey results.

About the Author

Colby Hochmuth is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Fri, Aug 8, 2014

Whoever set the 2015 goals for 80 percent cloud migration by 2015 has little understanding of the budget and procurement processes Federal agencies must comply with, and the added layer of IT security requirements for fledgling cloud apps. Old contracts need to end or be modified and new contracts have to be advertised, completed and awarded, which is typically a year long process. Once awarded, the technical work needs to begin which the article correctly states is not the hard part. Meeting IT security requirements is, especially for EPA's vast holdings of confidential business information that require security controls that go far beyond your typical cloud hosting. In addition, there are e-Discovery and FOIA requirements on some data that cloud vendors aren't prepared to accommodate. And while FEDRAMP helps reduce the IT security requirements, many cloud offerings are not FEDRAMP certified and it doesn't eliminate the requirement for Agencies to address security controls FEDRAMP does not address and go through the certification and accreditation process. Add onto this the existing investments Agencies have in IT infrastructure (our own server farms) and IT personnel, EPA furloughs, budget cuts and a governemt shutdown, and the push to quickly go to the cloud is foolish. Cloud migrations will happen, but they will take time and careful planning. EPA's push to quickly go the cloud for its email is a good example of what happens when you set arbitrary deadlines--cost over-runs, significant work disruptions and a series of ongoing technical problems. The career IT leaders in the Agency know what needs to be done and how to do it, and it would benefit everyone if our political IT leaders would listen to us.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group