Our objective was to determine whether
selected DoD Components performed a
cost-benefit analysis before acquiring
cloud computing services. In addition,
we were to identify whether those
DoD Components achieved actual savings
as a result of adopting cloud services.
Due to the limited number of cloud computing
service contracts identified, we could not
provide a sufficient answer to our announced
objective. However, we addressed the
need for a standardized cloud computing
definition and an integrated repository for
cloud computing service contract information
to help determine whether DoD is effectively
using cloud computing services.
DoD did not maintain a comprehensive
list of cloud computing service contracts.
This occurred because the DoD Chief
Information Officer (CIO) did not establish
a standard, Department-wide definition
for cloud computing and did not develop
an integrated repository that could
provide detailed information to identify
cloud computing service contracts.
As a result, DoD cannot measure the
effectiveness of the DoD cloud computing
initiative. Specifically, DoD cannot determine
whether it achieves actual cost savings or
benefits from adopting cloud computing
services. In addition, without knowing what
data DoD Components place on the cloud,
DoD may not effectively identify and monitor
cloud computing security risks.
We recommend that the DoD CIO:
- issue guidance to either establish a standard, Department-wide cloud computing definition or clarify the National Institute of Standards and Technology definition to consistently identify DoD Component cloud computing service contracts; and
- establish an integrated repository that provides detailed information to identify DoD cloud computing service contracts after Recommendation 1.a of this report is completed.
and Our Response
The Principal Deputy DoD CIO, responding for the
DoD CIO, neither agreed nor disagreed with the report
recommendations, but provided actions taken by the DoD CIO
to address the recommendations. However, the responses
provided did not address the specifics of Recommendation 1.a
and partially addressed Recommendation 1.b. Therefore,
we request that DoD CIO provide additional comments in
response to this report by January 27, 2016.