IGs seek better access to federal clouds

The breakdown of the VA's cloud email deal last year highlights the question of how to maintain oversight of cloud-based computer systems.

Shutterstock image: the data cloud connecting a number of global services.

The trouble started in 2006, when Chuck Coe, the assistant Inspector general for IT audits and computer crime at the Department of Education, had to issue a subpoena to a subcontractor to get access to IP addresses and diagrams from a subcontractor doing hosting for the agency. The subcontractor challenged Coe in court, out of concern that the investigation might compromise the security of other customers. Coe prevailed; the subcontractor unmingled the Education data from its public cloud and put them in their own environment.

The problem for Coe was that the process, from start to finish, took a year.

"You can rely on the IG Act to get access, but it is far better to have it in the contract language itself," Coe said in an interview with FCW.

This event stuck in Coe's mind as the government launched its cloud-first policy. He was concerned that IGs, general counsel staff and others charged with federal agency oversight could lose access to important information as it migrated into commercial cloud environments.

As chairman of the IT investigations subcommittee of the Council of Inspectors General on Integrity and Ethics, Coe led an effort to develop standard contract language for cloud computing services to go into the Federal Acquisition Regulations. The IGs need access to conduct their reviews of Federal Information System Management Act compliance, and for investigations.

The proposed FAR clause includes guarantees of physical access, documentation and system data for IGs, as well as notification in the event of any security incident that qualifies under the definitions laid out by the National Institute for Standards and Technology. The language would be required in any subcontract arranged by the prime contractor. The proposal is currently stalled at the FAR Council. Industry was not receptive to the request, Coe said.

Commercial cloud providers face a gray area when it comes to federal access to their systems. Vendors are obligated to look after the legal and constitutional rights of cloud tenants whose data is intermingled with that of federal users. Oversight officials, including IGs, say their mandate requires them to have physical access to any data center that has agency data, potentially putting them in a position to access information on non-federal users.

"This is a legal boundary that I don't believe was anticipated until someone actually bumped into it," said Trey Hodgkins, senior vice president at the Information Technology Alliance for Public Sector at the Information Technology Industry Council.

Paper laws for a tech age

A lack of oversight into agency cloud operations can have financial consequences.

At the Department of Veterans Affairs, a $36 million cloud deal was scuttled in 2013 in part due to a running disagreement between CIO Stephen Warren and acting IG Richard Griffin over the retention of email and overall access to cloud systems. The OIG at VA had shared Coe's draft language with the CIO's office when the cloud email project was still on the drawing board, but its provisions were not part of the final request for proposal issued by VA.

IGs who want to guarantee access to cloud environments must make their case internally. "That's the part your IG has to be mindful and aware of when these contracts are being considered, and engage the CIO or the contracting officer," Coe said. "You can do it at the agency level, but if it's in the FAR, a contractor can't argue with it," he said.

The military is trying to move the ball forward on cloud access. Jodi Cramer, a senior attorney at the Judge Advocate General of the Air Force, is leading a parallel effort to modify the Defense Federal Acquisition Regulation. Launched about a year ago, the DFAR modification effort is a piece of the overall Department of Defense-wide strategy to offer commercial cloud services to the military, led by the Defense Information Systems Agency.

We feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us.

This effort is in a pre-decisional stage, and it could be a year before a proposed rule is accepted by the Office of Management and Budget and put out for comment in the Federal Register. Cramer couldn't comment on the exact contract language she is seeking, but the effort tracks closely with a March 2014 update to DISA's cloud security model. Those guidelines specify that DoD agencies and law enforcement be granted physical access to data centers for audit purposes, FISMA compliance and IG investigations, and be permitted to copy or extract data as needed.

The DISA requirements state that cloud vendors "shall segregate the data and afford access to such information in a secure and private space, and without [vendor] presence, if requested." The document specifies additional requirements covering agency users, including compliance with federal records law, and the guarantees that law enforcement and auditing officials will be able to get data from systems without a warrant or subpoena.

Yet adapting Privacy Act and Inspector General Act rules to cover federal participation in the evolving commercial cloud industry is tricky.

"We're trying to fit laws based on paper into a technological age," Cramer said. At the same time, he said, "we feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us."

The Council of Inspectors General on Integrity and Ethics is preparing a survey on cloud contracts as part of a process that includes 20 IGs.

The CIGIE study is based on a 2013 survey NASA did of its cloud contracts that found wide variances in the costs and security controls of the space agency's cloud portfolio.

"I think [the CIGIE report] is going to be very eye-opening in terms of how well the federal government is doing in writing cloud contract language,” Coe said. “If the NASA report is any indication, then I think it's going to demonstrate that we have room for improvement." That report is due out later this summer.

Eroding leadership

Access to cloud environments by law enforcement is not just a federal agency issue.

While most government clouds are required to store data on systems in the continental United States, commercial clients can have data sprawling across the globe. Law enforcement and regulators are being challenged by commercial providers over requests for access to data – even under subpoena or search warrant.

Microsoft is fighting an order from a federal magistrate to turn over emails on a customer that are stored on a data center in Ireland. Microsoft argues that complying with the order "would violate international law and treaties, and reduce the privacy protection of everyone on the planet."

While the case doesn't directly bear on the issue of federal cloud contracts -- feds and contractors have no expectation of privacy while using federal systems -- it is interesting to see the cloud industry close ranks against the government in the wake of the Edward Snowden leaks.

U.S. cloud providers are concerned that surveillance by U.S. intelligence agencies is weakening them in the global market. The Information Technology and Innovation Foundation estimated last year that the Snowden revelations would cost the U.S. cloud industry $35 billion in lost business.

Microsoft's filing reflects this concern, saying that a government victory in this case would "ultimately erode the leadership of U.S. technology companies in the global market."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.