Expands the main menu

Breadcrumb

Audit Reports

Apr
30
2014
Report Number:
SM-MA-14-005
Report Type:
Audit Reports
Category: Cost & Pricing

Cloud Computing Contract Clauses

BACKGROUND:

Cloud computing uses remote servers on the Internet to manage, store, and process data. Using cloud computing reduces costs while increasing the efficiency of services; however, it also has risks associated with data leaks and loss of public trust. U.S. Postal Service Supply Management (Technology Infrastructure Portfolio) contracting officials awarded 13 contracts totaling about $303 million for cloud computing services from fiscal years 2007 to 2013. The Postal Service’s Information Security handbook of 2002 was in effect when officials awarded these contracts.

The Council of Inspectors General on Integrity and Efficiency issued a memorandum in 2011 on information accessibility, data security, and privacy concerns that federal agencies should consider before entering into cloud computing contracts. The memorandum identifies areas of concern for federal agencies but is not mandatory for the Postal Service. In August 2013, the Postal Service issued the Cloud Security handbook establishing information security policies and requirements to protect its information in a cloud computing environment.

Our objective was to assess whether cloud computing contracts have adequate controls to address information accessibility, data security, and privacy concerns. WHAT

THE OIG FOUND:

The 13 cloud computing contracts did not address information accessibility and data security for network access and server locations because the Information Security handbook in effect at the time of the contract award did not include these requirements. In addition, the Postal Service exempted a supplier from following the handbook for one contract that did not contain sensitive data. Although the data may not be sensitive, the handbook provides additional requirements such as insurance against losses resulting from data breaches and procedures for timely notification of these breaches.

The Postal Service’s Cloud Security handbook addresses the information accessibility and data security gaps. However, contracting officials were concerned that including the policy in existing cloud computing contracts could increase contract costs. As a result, we identified potential costs of $12,429,228 for mitigating cloud security risks.

WHAT THE OIG RECOMMENDED:

We recommended management include Information Security and Cloud Security handbook requirements in future cloud computing contracts, regardless of data sensitivity, and assess the costs and benefits of incorporating these requirements into existing cloud computing contracts. 

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

R - 1 -- Include requirements from Handbook AS-805, Information Security, and Handbook AS-805H, Cloud Security in future cloud computing contracts regardless of data sensitivity.

Closed $0 Agree
2

R - 2 -- Assess the cost and benefits of negotiating post-award agreements with cloud service providers to incorporate requirements from Handbook AS-805, Information Security, and Handbook AS-805H, Cloud Security, in existing cloud computing contracts.

Closed $0 Agree