For example, several NASA centers moved systems and data into the public cloud without the knowledge or consent of NASA's Office of the CIO (OCIO), while it struck deals with suppliers using contracts that "failed to fully address the business and IT security risks unique to the cloud environment." Of five deals the IG looked at closely, not one came close to meeting "recommended best practices for ensuring data security," it said. At the same time, NASA seems to have signed deals that had no clauses for making sure contractor performance would be measured, reported and enforced, or whether these new cloud partners had the right federal privacy, discovery, or data retention and destruction credentials or procedures in place.
The IG also reported that one or two "moderate impact" NASA IT systems ran in a public cloud environment for about two years without authorization from its OCIO, and without any "security or contingency plan" or test of any systems' security controls. That's because, it said, the agency's IT leadership wasn't aware of all the cloud services and suppliers that various NASA departments were using, nor was any of it centrally managed.
[ Learn more about 5 Habits Of Highly Effective Government IT Leaders. ]
This occurred in spite of the NASA OCIO's Federal Risk and Authorization Management Program (or FedRAMP) compliant plan for getting cloud into the organization. However, it appears that plan wasn't rolled out to departments to help them get the most compliant deals.
Even so, NASA hasn't bet the farm on cloud just yet, spending only $10 million of its $1.5 billion yearly IT budget on the technology. In addition, according to the audit, so far about a million dollars a year of IT savings are being garnered by cloud.
Still, as many as 75% of new IT programs are projected to have some cloud element between now and 2018. Also, a big chunk of its public data could be there and as much as 40% of heritage systems, too. As the study stresses, "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."
The report lists a set of recommendations for recently appointed NASA CIO Larry Sweet to rectify the agency's first cloud moves. It noted that Sweet's team "concurred with our recommendations and proposed corrective actions," but committed to follow its suggested means of improving the agency's IT governance and risk management practices "subject to the availability of funds."