Septemeber 19, 2014

The Department of Energy’s Management of Cloud Computing Activities

In December 2011, the General Services Administration, along with other Government bodies, established the Federal Risk Authorization Management Program (FedRAMP), a risk-based program designed to provide a standard, centralized approach to assessing cybersecurity controls and authorizing cloud computing services for operation.  Federal agencies had until June 2014 to ensure that all new and existing cloud services met FedRAMP requirements.  As a result of issues identified in a recent National Aeronautics and Space Administration report, a Government-wide initiative was undertaken by the Council of Inspectors General for Integrity and Efficiency to provide insight to agency heads and lawmakers on how well the Federal government has adopted cloud computing technologies. 

The Department of Energy (Department) had not always effectively or efficiently acquired, implemented or managed its cloud computing technologies.  In particular, we found that programs and sites independently acquired and managed cloud computing services valued at more than $30 million.  In addition, the Department had not always established contracts with cloud computing service providers that ensured effective controls over the management of stored or transmitted information.  Further, the Department had not ensured that cloud computing services were implemented in accordance with FedRAMP.

These issues occurred, in part, because the Department lacked a comprehensive strategy designed to ensure effective and efficient implementation of cloud computing technologies.  In addition, officials had not provided adequate oversight to ensure that programs and sites had taken appropriate action to acquire and implement cloud computing initiatives.  We made recommendations that, if fully implemented, should help the Department manage its implementation of cloud technologies in a more secure and cost effective manner.

Topic: Management and Administration