Report | Dec. 4, 2014

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

DODIG-2015-045

Objective

Our objective was to determine whether DoD effectively planned and executed a strategy for implementing cloud computing. This is the first in a series of audits on cloud computing.

Findings

DoD did not fully execute elements of the DoD Cloud Computing Strategy. For example, DoD did not fully develop skills training for the acquisition and contract specialists who procure cloud computing services and fully develop cloud service broker management capabilities.

For the three cloud computing contracts we reviewed, DoD Components did not obtain waivers from the designated review authority to use a non-DoD approved cloud service provider.

This occurred because the DoD Chief Information Officer did not develop an implementation plan that included assignment of roles and responsibilities and associated tasks, resources, and milestones. In addition, the DoD Chief Information Officer did not have a detailed written process for obtaining a cloud computing waiver.

As a result, DoD may not realize the full benefits of cloud computing. In addition, DoD was at greater risk of not preserving the security of DoD information against cyber threats.

Recommendations

Among other recommendations, we recommended that the DoD Chief Information Officer develop an implementation plan for the DoD Cloud Computing Strategy that assigns roles and responsibilities as well as associated tasks, resources, and milestones. We also recommended the Army Program Executive Officer Enterprise Information Systems and the Chief Information Officer, National Defense University work with the DoD Chief Information Officer and apply for waivers for their respective cloud computing contracts. Further, we recommend the DoD Chief Information Officer develop and publish a waiver process providing detailed guidance on how to obtain a cloud computing waiver.

Management Comments

The management comments received from the Acting Principal Deputy DoD Chief Information Officer, responding for the DoD Chief Information Officer, did not fully address our recommendation to develop an implementation plan for the DoD Cloud Computing Strategy, but did address our recommendation to develop and publish a cloud computing waiver process. In addition, the management comments received from the Army Project Director, Computer Hardware Enterprise Software and Solutions, responding for the Army Program Executive Officer Enterprise Information Systems, and Chief Information Officer, National Defense University addressed our recommendations to apply for waivers for their respective cloud computing contracts. We request that the DoD Chief Information Officer provide additional comments on the final report.