Audit Report

12-28-2015
Cyber Security
DoD Needs an Effective Process to Identify Cloud Computing Service Contracts (Project No. D2015-D000RB-0089.000)
DODIG-2016-038

View printable version 

Objective

Our objective was to determine whether selected DoD Components performed a cost-benefit analysis before acquiring cloud computing services. In addition, we were to identify whether those DoD Components achieved actual savings as a result of adopting cloud services. Due to the limited number of cloud computing service contracts identified, we could not provide a sufficient answer to our announced objective. However, we addressed the need for a standardized cloud computing definition and an integrated repository for cloud computing service contract information to help determine whether DoD is effectively using cloud computing services.

Finding

DoD did not maintain a comprehensive list of cloud computing service contracts. This occurred because the DoD Chief Information Officer (CIO) did not establish a standard, Department-wide definition for cloud computing and did not develop an integrated repository that could provide detailed information to identify cloud computing service contracts. As a result, DoD cannot measure the effectiveness of the DoD cloud computing initiative. Specifically, DoD cannot determine whether it achieves actual cost savings or benefits from adopting cloud computing services. In addition, without knowing what data DoD Components place on the cloud, DoD may not effectively identify and monitor cloud computing security risks.

Recommendations

We recommend that the DoD CIO:

  • issue guidance to either establish a standard, Department-wide cloud computing definition or clarify the National Institute of Standards and Technology definition to consistently identify DoD Component cloud computing service contracts; and
  • establish an integrated repository that provides detailed information to identify DoD cloud computing service contracts after Recommendation 1.a of this report is completed.

Management Comments and Our Response

The Principal Deputy DoD CIO, responding for the DoD CIO, neither agreed nor disagreed with the report recommendations, but provided actions taken by the DoD CIO to address the recommendations. However, the responses provided did not address the specifics of Recommendation 1.a and partially addressed Recommendation 1.b. Therefore, we request that DoD CIO provide additional comments in response to this report by January 27, 2016.


pdf icon View Complete PDF Report (1.39MB)