EPA’s cloud computing conundrum

Shutterstock image: minimalist image of data-driven cloud technology.

An IG report critical of the agency's handling of its cloud services shows a "business as usual" approach to managing assets, says a Deltek analyst.

An inspector general's report -- which has raised questions about whether the Environmental Protection Agency is on top of its various cloud initiatives -- is symptomatic of a larger problem across the federal government, says Alex Rossino, principal research analyst on Deltek's Federal Industry Analysis team.

"I think this situation points to the fact that despite the 'Stat' initiatives, agencies are still business as usual when it comes to managing IT assets," Rossino said.

The EPA's IG found that the agency didn't know when its offices were using cloud computing and that several of EPA's subcontracting processes for cloud projects were lacking." The IG report, released July 24, said the EPA needs to "strengthen its catalog of cloud vendors and processes to manage vendor relationships," in order to be compliant with federal security requirements.

The report comes two years after the EPA announced it would move 80 percent of its computing environments to the cloud by 2015. At the time, CGI Federal announced the $15 million, 3-year contract that would migrate 20 percent of EPA's environment to the cloud in the first year, and then 30 percent in years two and three. In 2012, Toni Townes-Whitley, senior VP at CGI, said EPA's move "is setting an impressive pace for cloud adoption."

However, the IG report suggests that the proper infrastructure wasn't in place to support that move.

"Technology is not the problem. It's easy to get into the cloud," Rossino said. "They don't have the processes in place to manage the investments. It's not just a cloud problem. It's a federal IT problem."

One solution, Rossinp said, would be to have a team or a person with responsibility for managing what is being moved to the cloud and what contracts are being used to manage it attached to every agency CIO. Automated cloud management software would also be a step in the right direction, he added.

Counting the clouds

The IG audit was based on results from a Council of the Inspectors General on Integrity and Efficiency survey on deployment of cloud computing technologies.

The EPA IG specifically looked into the contract for the Office of Water's Permit Management Oversight System.

The auditor found several problems, including a subcontractor not compliant with FedRAMP guidelines, and no assurance that "the EPA has access to the subcontractor's cloud environment for audit and investigative purposes."

Survey results found that there were 11 total IT cloud services at EPA. The IG said he lacked confidence that number was accurate, citing the way program offices collected information about how many cloud services were being offered.

The EPA's Office of Acquisition Management (OAM) indicated that the survey was "completed by performing a search for the word 'cloud' in the procurement description."

"As a result, the auditor concludes that regardless of whether a contract was a cloud contract, the contract would only be included on the list if the term 'cloud' appeared in the description of the procurement," the report said.

There is no database that specifically identifies "cloud" procurements, according to OAM.

During this process, the auditor found one application wrongly listed as a cloud application and two that appear to be cloud applications but weren't included in the survey results.

About the Author

Colby Hochmuth is a former staff writer for FCW.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Aug 8, 2014

Whoever set the 2015 goals for 80 percent cloud migration by 2015 has little understanding of the budget and procurement processes Federal agencies must comply with, and the added layer of IT security requirements for fledgling cloud apps. Old contracts need to end or be modified and new contracts have to be advertised, completed and awarded, which is typically a year long process. Once awarded, the technical work needs to begin which the article correctly states is not the hard part. Meeting IT security requirements is, especially for EPA's vast holdings of confidential business information that require security controls that go far beyond your typical cloud hosting. In addition, there are e-Discovery and FOIA requirements on some data that cloud vendors aren't prepared to accommodate. And while FEDRAMP helps reduce the IT security requirements, many cloud offerings are not FEDRAMP certified and it doesn't eliminate the requirement for Agencies to address security controls FEDRAMP does not address and go through the certification and accreditation process. Add onto this the existing investments Agencies have in IT infrastructure (our own server farms) and IT personnel, EPA furloughs, budget cuts and a governemt shutdown, and the push to quickly go to the cloud is foolish. Cloud migrations will happen, but they will take time and careful planning. EPA's push to quickly go the cloud for its email is a good example of what happens when you set arbitrary deadlines--cost over-runs, significant work disruptions and a series of ongoing technical problems. The career IT leaders in the Agency know what needs to be done and how to do it, and it would benefit everyone if our political IT leaders would listen to us.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group