NASA Cloud Contracts Slammed By Auditor - InformationWeek
Cloud // Platform as a Service
12:54 PM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

NASA Cloud Contracts Slammed By Auditor

Space agency's early moves into cloud were poorly managed, may have exposed the organization to risk, inspector general reports.

NASA's Next 5 Missions
NASA's Next 5 Missions
(click image for larger view)
NASA has scored low marks from its own auditor on its progress in adopting cloud computing technologies. In a report published Monday, the NASA Office of Inspector General concluded that weaknesses in the body's IT governance and risk management practices have "impeded" it from gaining the full benefits of cloud.

For example, several NASA centers moved systems and data into the public cloud without the knowledge or consent of NASA's Office of the CIO (OCIO), while it struck deals with suppliers using contracts that "failed to fully address the business and IT security risks unique to the cloud environment." Of five deals the IG looked at closely, not one came close to meeting "recommended best practices for ensuring data security," it said. At the same time, NASA seems to have signed deals that had no clauses for making sure contractor performance would be measured, reported and enforced, or whether these new cloud partners had the right federal privacy, discovery, or data retention and destruction credentials or procedures in place.

The IG also reported that one or two "moderate impact" NASA IT systems ran in a public cloud environment for about two years without authorization from its OCIO, and without any "security or contingency plan" or test of any systems' security controls. That's because, it said, the agency's IT leadership wasn't aware of all the cloud services and suppliers that various NASA departments were using, nor was any of it centrally managed.

[ Learn more about 5 Habits Of Highly Effective Government IT Leaders. ]

This occurred in spite of the NASA OCIO's Federal Risk and Authorization Management Program (or FedRAMP) compliant plan for getting cloud into the organization. However, it appears that plan wasn't rolled out to departments to help them get the most compliant deals.

Even so, NASA hasn't bet the farm on cloud just yet, spending only $10 million of its $1.5 billion yearly IT budget on the technology. In addition, according to the audit, so far about a million dollars a year of IT savings are being garnered by cloud.

Still, as many as 75% of new IT programs are projected to have some cloud element between now and 2018. Also, a big chunk of its public data could be there and as much as 40% of heritage systems, too. As the study stresses, "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."

The report lists a set of recommendations for recently appointed NASA CIO Larry Sweet to rectify the agency's first cloud moves. It noted that Sweet's team "concurred with our recommendations and proposed corrective actions," but committed to follow its suggested means of improving the agency's IT governance and risk management practices "subject to the availability of funds."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/1/2013 | 12:23:22 PM
re: NASA Cloud Contracts Slammed By Auditor
Tough to know if cloud providers have the correct federal requirements in place. If fedramp would get with the program, and certify more than just a few measly IaaS providers (which does not offer much - most customers are after either PaaS or SaaS), then perhaps it would make implementing in the cloud, AND the oversight easier!
Bart Riley
Bart Riley,
User Rank: Apprentice
7/31/2013 | 7:57:57 PM
re: NASA Cloud Contracts Slammed By Auditor
Its really too bad that the current administration is pushing organizations like NASA to the cloud. NASA has no reason to be in the cloud, nor does a large majority of the rest of the Federal Government. We have children in Washington that have no idea what they are doing.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll