IG reports hiccups in GSA's cloud adoption

Shutterstock image (by wk1003mike): cloud system fracture. 

The General Services Administration left some sensitive personnel and operational documents exposed as it moved over to the cloud a few years ago, according to a just-released report by the agency's Inspector General.

In a series of reports, the IG said it had to notify GSA officials about sensitive employee and government agency information that was left exposed on its Google Groups, Sites and Docs collaborative tools.

GSA began moving to the cloud in 2011, a year after it awarded its cloud computing contract to Google to host its agencywide emailĀ  system andĀ  collaborationĀ  services.

The GSA IG publicly released the reports on Jan. 27, 2017, but the reports themselves were from the 2014-2015 time period.

The agency left unprotected sensitive information in its cloud computing environment during that time frame, according to the agency watchdog. The IG said it didn't make the reports public at the time out of vulnerability concerns. The problems, it said in release, have since been solved.

For example, there was unsecured personally identifiable information including Social Security numbers in a GSA Google Group, according to Patricia Sheehan, director of GSA IG's Office of Forensic Auditing, Evaluation and Analysis. In a memo, Sheehan said that employee information and proprietary contractor data were accessible to users.

The IG also found that sensitive documents such as a draft National Security Staff Cyber Response Group Protocol, used for White House situational awareness of cyber threats affecting national security, national economic security or national public health and safety, could be accessed.

The IG said on July 29, 2014, the GSA incident response team isolated the GSA Google Group identified by the OIG and took corrective action immediately to set security permissions for authorized users only. The agency proceeded to submit a timely US-CERT incident report on the matter, it said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.