NASA Cloud Contracts Slammed By Auditor - InformationWeek
IoT
IoT
Cloud // Platform as a Service
News
7/30/2013
12:54 PM
50%
50%
RELATED EVENTS
[Ransomware] Taking the Mystery out of Ransomware
Dec 07, 2016
Lost data. Systems locked down. Whole companies coming to a grinding halt. When it comes to ransom ...Read More>>

NASA Cloud Contracts Slammed By Auditor

Space agency's early moves into cloud were poorly managed, may have exposed the organization to risk, inspector general reports.

NASA's Next 5 Missions
NASA's Next 5 Missions
(click image for larger view)
NASA has scored low marks from its own auditor on its progress in adopting cloud computing technologies. In a report published Monday, the NASA Office of Inspector General concluded that weaknesses in the body's IT governance and risk management practices have "impeded" it from gaining the full benefits of cloud.

For example, several NASA centers moved systems and data into the public cloud without the knowledge or consent of NASA's Office of the CIO (OCIO), while it struck deals with suppliers using contracts that "failed to fully address the business and IT security risks unique to the cloud environment." Of five deals the IG looked at closely, not one came close to meeting "recommended best practices for ensuring data security," it said. At the same time, NASA seems to have signed deals that had no clauses for making sure contractor performance would be measured, reported and enforced, or whether these new cloud partners had the right federal privacy, discovery, or data retention and destruction credentials or procedures in place.

The IG also reported that one or two "moderate impact" NASA IT systems ran in a public cloud environment for about two years without authorization from its OCIO, and without any "security or contingency plan" or test of any systems' security controls. That's because, it said, the agency's IT leadership wasn't aware of all the cloud services and suppliers that various NASA departments were using, nor was any of it centrally managed.

[ Learn more about 5 Habits Of Highly Effective Government IT Leaders. ]

This occurred in spite of the NASA OCIO's Federal Risk and Authorization Management Program (or FedRAMP) compliant plan for getting cloud into the organization. However, it appears that plan wasn't rolled out to departments to help them get the most compliant deals.

Even so, NASA hasn't bet the farm on cloud just yet, spending only $10 million of its $1.5 billion yearly IT budget on the technology. In addition, according to the audit, so far about a million dollars a year of IT savings are being garnered by cloud.

Still, as many as 75% of new IT programs are projected to have some cloud element between now and 2018. Also, a big chunk of its public data could be there and as much as 40% of heritage systems, too. As the study stresses, "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."

The report lists a set of recommendations for recently appointed NASA CIO Larry Sweet to rectify the agency's first cloud moves. It noted that Sweet's team "concurred with our recommendations and proposed corrective actions," but committed to follow its suggested means of improving the agency's IT governance and risk management practices "subject to the availability of funds."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bart Riley
50%
50%
Bart Riley,
User Rank: Apprentice
7/31/2013 | 7:57:57 PM
re: NASA Cloud Contracts Slammed By Auditor
Its really too bad that the current administration is pushing organizations like NASA to the cloud. NASA has no reason to be in the cloud, nor does a large majority of the rest of the Federal Government. We have children in Washington that have no idea what they are doing.
AKEIM329
50%
50%
AKEIM329,
User Rank: Apprentice
8/1/2013 | 12:23:22 PM
re: NASA Cloud Contracts Slammed By Auditor
Tough to know if cloud providers have the correct federal requirements in place. If fedramp would get with the program, and certify more than just a few measly IaaS providers (which does not offer much - most customers are after either PaaS or SaaS), then perhaps it would make implementing in the cloud, AND the oversight easier!
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll