Millions of tax dollars and vital government data could be lost because Department of the Interior officials negotiated cloud computing contracts without key financial accountability safeguards and didn’t test their cybersecurity protections.
One Interior Department component purchased 16 cloud service contracts with charge cards, which went untested for their cybersecurity strengths, the agency’s inspector general reported Tuesday.
Investigators also reviewed four of the Interior Department’s 42 cloud contracts and found they lacked crucial oversight elements.
“We found that none had the controls to monitor and manage their cloud service providers and the data residing within their systems,” the report said. “As a result, DOI data stored in the public cloud proved to be at risk of loss or exposure to unauthorized parties.”
Such omissions were possible because the federal government hasn’t issued in-depth guidelines that could help agencies form comprehensive cloud service contracts, according to the report.
The Interior Department spent nearly $53 million on cloud services as of 2014 and spends around $1 billion annually on information technology.
One Interior Department component, the United States Geological Survey, purchased 16 cloud systems contracts with charge cards “without approval from responsible officials,” the report said.
In fact, IT officials weren’t even aware of those contracts, even though 10 were at least a year old.
“Even more troubling, security controls for these 16 cloud services were never tested to ensure controls were implemented correctly, operating as intended, and produced the desired outcome of protecting the system and its data,” the report said.
One of those cloud service contracts allowed the provider to “modify contract terms without notifying” Geological Survey, which compromises Interior Department data and “increases the likelihood that public funds may be misspent,” the report said.
Geological Survey holds 27 of the Interior Department’s cloud service contracts, the report showed.
Investigators recommended that the Interior Department terminate its contracts purchased through charge cards.
Also, three of the four contracts investigators reviewed in-depth didn’t detail how the provider would “report and respond to IT security incidents, thus increasing the risk that bureaus would be unaware if their data in the cloud had been subject to unauthorized access, modification, or destruction,” the report said.
None of the four contracts give the Interior Department a “way to ensure that cloud service providers will meet required service levels, which increases the risk of misspending public funds,” the report said.
“None of the contracts we reviewed specified how service provider performance would be reported, monitored and enforced,” it continued.