IG reports hiccups in GSA's cloud adoption

Shutterstock image (by wk1003mike): cloud system fracture. 

The General Services Administration left some sensitive personnel and operational documents exposed as it moved over to the cloud a few years ago, according to a just-released report by the agency's Inspector General.

In a series of reports, the IG said it had to notify GSA officials about sensitive employee and government agency information that was left exposed on its Google Groups, Sites and Docs collaborative tools.

GSA began moving to the cloud in 2011, a year after it awarded its cloud computing contract to Google to host its agencywide emailĀ  system andĀ  collaborationĀ  services.

The GSA IG publicly released the reports on Jan. 27, 2017, but the reports themselves were from the 2014-2015 time period.

The agency left unprotected sensitive information in its cloud computing environment during that time frame, according to the agency watchdog. The IG said it didn't make the reports public at the time out of vulnerability concerns. The problems, it said in release, have since been solved.

For example, there was unsecured personally identifiable information including Social Security numbers in a GSA Google Group, according to Patricia Sheehan, director of GSA IG's Office of Forensic Auditing, Evaluation and Analysis. In a memo, Sheehan said that employee information and proprietary contractor data were accessible to users.

The IG also found that sensitive documents such as a draft National Security Staff Cyber Response Group Protocol, used for White House situational awareness of cyber threats affecting national security, national economic security or national public health and safety, could be accessed.

The IG said on July 29, 2014, the GSA incident response team isolated the GSA Google Group identified by the OIG and took corrective action immediately to set security permissions for authorized users only. The agency proceeded to submit a timely US-CERT incident report on the matter, it said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

Stay Connected