Newly appointed CIO Larry Sweet responded to the findings by recommending actions that NASA should take to fix the current model, shedding a light on what other agencies might avoid as more of their IT operations move to the cloud.
Sweet said that among other actions, NASA would take new steps to develop and publish guidance on how the space agency acquires and uses cloud computing services. The agency's centers will also be required to register all purchases of cloud services with NASA's Computing Services Service Office (CSSO) to meet security requirements. The decision stems from the audit's findings that NASA's centers moved systems and data into public clouds without the CIO's knowledge or approval. The report found that on five occasions NASA acquired cloud computing services using contracts that failed to address IT security risks.
The stakes are significant. NASA projects that within the next five years up to 75% of new IT programs will begin in the cloud, and most of its public data could be stored in the cloud. And as the agency updates its legacy systems, up to 40% of them could move to the cloud. Safeguarding data will be critical during the transition, but without better oversight, NASA could face heightened risks.
[ Learn more about the feds' cloud use. Read Government IT Using Cloud To Manage Internet Gateways. ]
The audit report made a total of six recommendations that would help "strengthen NASA's IT governance practices with respect to cloud computing, mitigate business and IT security risks, and improve contractor oversight." NASA's CSSO, established in August 2011, already oversees all computing related services, including data center consolidation and cloud computing. But Sweet admitted that CSSO is lacking in some areas and vowed to make significant changes to meet the recommendations.
Sweet said all NASA organizations would use the WestPrime contract for purchasing such services. Additionally, NASA has terminated its Web services contract with eTouch -- which manages NASA's internal and external Web portals -- and will shut down all legacy eTouch infrastructure this September. The agency is implementing a new system, managed by InfoZen.
NASA will also complete an inventory of its cloud service providers to ensure they comply with Federal Risk and Authorization Management Program (FedRAMP) provisions, a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
As federal agencies expand to public clouds, it's important to avoid using unapproved and unsecured cloud services to prevent operational disruptions, data loss and the misuse of public funds. NASA officials agreed that cloud computing contracts must incorporate best practices and meet all FedRAMP requirements.
To eliminate confusion and miscommunication about which public clouds are acceptable, establishing a program management office responsible for cloud computing strategy and related standards is essential, according to recommendations in the audit.
The changes are expected to be completed by September 30, 2014, although Sweet said a lot will depend on NASA's budget, which is uncertain at the moment. "The recommendations are feasible; however, the implementation of the recommendations is contingent upon the availability of funds," he said.