Energy Department’s cloud integration efforts flawed, report finds

Recently, the United States Post Office's inspector general released an audit of the agency's cloud successes and failures. The report revealed that while the USPS has made significant progress in this area, it has also struggled to comply with cloud computing standards, creating possible cybersecurity risks for the agency.

Now, the Department of Energy's inspector general has released a similar report, with similar findings. Most notably, the audit revealed that the lack of a comprehensive strategy for overseeing cloud integration has caused significant problems for the agency, including an increased risk of cybersecurity failure. A revised, improved approach to the cloud may be needed.

Cloud problems
The audit noted that the Department of Energy was a particularly decentralized agency, comprised of a number of smaller teams. This makes safe, secure cloud integration even more challenging than is normally the case for federal departments. It can be difficult to ensure that all of the discrete units are on the same page, which can lead to inconsistent approaches, oversights and more.

Specifically, the IG report identified three main issues with the department's cloud integration efforts. First, the Department of Energy was not able to accurately track all of its cloud services, which represent an investment of more than $30 million. 

"While the Office of the Chief Information Officer (OCIO) only reported 44 ongoing cloud initiatives to OMB, our testwork revealed that the department had initiated at least 130 cloud computing efforts at 24 federal and contractor locations," the audit pointed out.

Second, the report noted that the Energy Department failed to ensure that all cloud service agreements address key cybersecurity concerns by following federal guidelines. Instead, many of these contracts did not feature provisions or clauses that would allow the agency to access the vendor's facilities, databases or documents as part of a forensic investigation. Without this access, examining the extent of a data breach or other security failure can be far more difficult.

Lastly, the audit reported that not all of the Energy Department's cloud services comply with FedRAMP. Considering that FedRAMP was designed to ensure the security of federal cloud services, this may further put the agency at risk.

A comprehensive strategy
The IG audit emphasized that the main reason behind the Energy Department's cloud computing problems was the lack of a comprehensive strategy. This shortcoming not only put the agency at risk of a cloud-related data breach, but also made it difficult, or even impossible, for the department to maximize the efficiency and productivity gains offered by cloud technology.

Clearly, a new approach to the cloud is necessary. And to fully achieve this goal, the Energy Department should consider partnering with a trusted third-party cloud integration services provider. Such a firm could help the agency to rectify the various issues highlighted by the IG audit, while also developing a plan for the department's future cloud computing efforts. This can ensure that the department's cloud environments remain safe and protected without sacrificing effectiveness.