Federal IG Access to Data Overcast by Rush to the Cloud
Government auditors and general counsel offices are seeking better access to their own data stored by commercial cloud services.
When cloud computing revolutionized the way businesses stored, processed and transmitted data, the rapid transformation—as with a lot of technological advances—left U.S. government agencies behind the times. The government’s hurried effort to align itself with the paradigm shift from traditional stand-alone computers, workstations and networks to the not-quite-understood cloud computing technology left a policy aperture fraught with challenges that caught some agencies unprepared—particularly adjuncts in inspector general and general counsel offices.
Contractors and subcontractors that provide cloud computing services to the federal government operate in an ambiguous realm, jostled between worries that external probes might jeopardize the security of other customers’ data and the legal requirements to meet the government’s data service needs. And while an antecedent federal statute gives auditors the legal access to the data, fighting commercial companies’ resistance is both time consuming and costly.
“Unfortunately, I think there was a rush to the cloud for the federal government, and I don’t think … all aspects of it were well thought out,” says Chuck Coe, assistant inspector general (IG) for Information Technology Audits and Computer Crime Investigations at the U.S. Department of Education. “One of the aspects that was challenging for us was access to the cloud environment. It’s a virtual environment, and it’s a little bit different than the typical data center that federal agencies are used to running and we’re used to visiting and auditing and doing our cyber crime investigations.”
The Office of Management and Budget (OMB) requires agencies to adopt a “cloud first” policy when contemplating information technology purchases, and the General Services Administration did set up the Federal Risk and Authorization Management Program (FedRAMP) to help agencies meet cloud-first requirements and adopt cloud computing technologies. The document outlines methods to ensure cloud providers have adequate information technology security, eliminate duplication of effort and reduce risk management costs, and enable rapid and cost-effective purchasing of cloud computing services. But it does not provide for a standardized contract language that guarantees federal IGs and general counsel access to data stored by commercial cloud services for audits or investigations.
The migration to cloud computing introduced a daunting new challenge for officials who perform digital forensics in cloud computing environments, according to a portion of a June report by the National Institute of Standards and Technology (NIST) Cloud Computing Forensic Science Working Group.
“The cloud exacerbates many technological, organizational and legal challenges already faced by digital forensics examiners,” reads a portion of the report. “Several of these challenges, such as those associated with data replication, location transparency and multitenancy, are somewhat unique to cloud computing forensics.”
“With the rapid adoption of cloud computing technology, a new need has arisen for the application of digital forensic science to this domain,” the NIST report continues. “The validity and reliability of forensic science is crucial in this new context and requires new methodologies for identifying, collecting, preserving and analyzing evidence in multitenant cloud environments that offer rapid provisioning, global elasticity and broad-network accessibility.”
Several years ago, Education Department auditors needed information from a data center in Georgia that performed the agency’s common origination and disbursement tasking. The private company refused to give auditors IP addresses and network diagrams. “We had to subpoena them for that and it delayed our audit for a year,” Coe says. “The contract language did not flow down properly to give [the Education Department] the leverage needed. However, because of the IG Act, it gave us the ability to subpoena the company, and we ultimately won, but a year later. The moral of the story is it’s better to have great contract language than it is to rely on the IG Act.”
The IG Act, enacted in 1978, created the independent offices of inspector generals to conduct and supervise audits and investigations of federal agencies and employees.
In addressing the language shortcoming that hamstrings auditors, the Council of the Inspectors General on Integrity and Efficiency (CIGIE) is working to have inserted in the Federal Acquisition Regulation (FAR) concise language that would give IGs, investigators and general counsel access to data maintained by commercial entities.
Additionally, the Defense Department is in the process of amending its own similar document, the Defense Federal Acquisition Regulation Supplement (DFARS), that would include a clause on cloud computing, according to Jodi Cramer, senior air staff counsel in the Information Law Administrative Law Directorate for the U.S. Air Force’s Judge Advocate General Office, which is leading the Pentagon’s charge to update the document.
“The DFARS process is deliberative, and we can’t discuss the current status, but it has been in process for over a year,” Cramer says. “This was part of the [Defense Department] cloud strategy to ensure that cloud service providers comply with all federal laws and regulations regarding [information technology] and information management.”
Absent changes to the FAR, IGs and federal attorneys instead must educate agency contract writers and chief information officers to ensure contracts for cloud computing services by contractors and even subcontractors contain explicit protective language giving auditors required access, Coe advises. “The IG community typically is kind of outside the normal policy-making, legislation [mindset] and things like that. Don’t get me wrong, OMB is well aware of who OIGs are and our mission, … but sometimes they don’t take into consideration what our needs are when some of these things go through,” Coe says.
“We’re trying to address it now,” he continues. “I think it’s important for the individual IGs to make sure that they get together with their contracting office and their CIO to make sure that, even if there is not a FAR clause, that they can get the necessary language put in individual contracts.”
In 2012 NASA shut down its own private cloud computing data center, called Nebula, after officials determined that Amazon and Microsoft offered more reliable and less expensive services. But a year later, a 2013 report on NASA’s survey of internal cloud contracts found a lot of problems with the agency’s methods in contracting out for cloud computing services. “We found that weaknesses in NASA’s [information technology] governance and risk management practices have impeded the agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” reads a portion of the report.
The agency’s risk management practices for acquiring and securing public cloud computing services were ineffective, and some cloud services failed to meet key information technology security requirements. NASA had spent about $1.5 billion a year on its portfolio of information technology assets, which included 550 information systems that control spacecraft, collect and process scientific data, provide security for information technology infrastructure and let NASA personnel collaborate with colleagues.
“In the past, it would be a government-owned data center, and we would essentially be able to walk right in the front door and do what we needed to do and talk to who we wanted to talk to,” Coe says. “When it’s the private sector, it’s not quite the same.”