Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

DOT Lacks an Effective Process for Its Transition to Cloud Computing

Requested By
Self-Initiated
Project ID
FI2015047
File Attachment

DOT has taken steps to transition to cloud computing, such as establishing a multi-modal Cloud Working Group, but it has not taken other actions needed to ensure an effective transition. For example, the Department has not established or updated its guidance on contracting for IT services to include cloud systems. Consequently, the guidance does not include requirements for specific contract clauses needed to ensure that cloud service providers keep agencies’ data secure and available, such as provisions that cover maintenance of data integrity, accessibility, and confidentiality. Each of the Department’s cloud contracts lacks at least one of these provisions. Additionally, the Department has not established standards for assessing the costs and benefits of cloud systems. As a result, Operating Administrations cannot determine whether moving to the cloud is cost effective and could achieve expected benefits.

DOT’s oversight of its cloud systems is also ineffective. The Department has not established an accurate inventory of cloud systems—a requirement for effective information system risk management. The Department reported 14 cloud systems. but only 11 were actual cloud systems. Of these 11 systems, only 5 were correctly identified in the Department’s inventory of IT systems. Four were identified as non-cloud systems, and 2 were not in the inventory at all. As a result of the inaccurate inventory, officials that authorize the use of cloud systems lack information needed to make informed decisions. Furthermore, the Department’s cloud systems did not meet the requirements of the Federal Risk Authorization and Management Program, which provides a standardized approach for security assessment of cloud systems and authorization of their use. The Program required security at all Federal cloud systems to be compliant with its guidelines by June 2014.

We made four recommendations to help improve contracts covering cloud computing and the Department’s oversight of the transition. The Department concurred with our recommendations.

Recommendations

Closed on
No. 1 to OST
Develop guidance for acquisition of cloud services, cost and savings analysis, and operational support for use of those services.
Closed on
No. 2 to OST
Develop a process to verify that non-disclosure agreements and language regarding discovery and investigatory requirements are included in future cloud contracts.
Closed on
No. 3 to OST
Establish procedures to verify systems are accurately inventoried in CSAM.
No. 4 to OST
Establish FedRAMP compliance guidelines and oversight for the Department, and ensure that each Operating Administration put plans in place to meet FedRAMP requirements.