Agencies have work to do on OMB cloud procurement requirements, GAO finds
Meeting procurement requirements laid out in 2019 Office of Management and Budget guidance on cloud strategy has been a mixed bag for federal agencies, a new congressional watchdog report found.
As of this July, all 24 Chief Financial Officers Act agencies completed an OMB requirement in its Cloud Smart strategy to ensure that CIOs oversee modernization efforts, according to the Government Accountability Office. And all but one agency — the Small Business Administration — addressed the OMB mandate to “iteratively improve agency policies and guidance.”
But there is plenty of work to do on the remaining three OMB callouts, the GAO said in its June 2022-September 2024 performance audit, which was requested by Rep. Gerry Connolly, D-Va., ranking member of the House Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
Just six agencies — NASA and the departments of Agriculture, Defense, Health and Human Services, Interior and State — have fully completed the requirement to have a cloud service level agreement in place. Having those pacts with cloud vendors is aimed at ensuring that an agency is “provided with continuous awareness of the confidentiality, integrity, and availability of its information,” per OMB, in addition to spelling out detailed roles and responsibilities with cloud providers and setting performance standards.
Agencies that have partially completed that requirement are the departments of Education, Homeland Security, Justice and Veterans Affairs, USAID, the Environmental Protection Agency, General Services Administration, National Science Foundation, Office of Personnel Management, and the Social Security Administration.
For those agencies that have not addressed the requirement, some had incomplete or irrelevant documentation, while others said they were working to alter their cloud agreements.
Agencies fared slightly better on the OMB requirement to standardize cloud contract service agreements, with nine implementing the task fully: Defense, Education, HHS, Interior, DOJ, State, NASA, OPM and SSA. The EPA and the Department of Transportation have partially fulfilled these obligations, while 13 haven’t addressed the requirement at all.
“Officials at one agency reported that they had chosen not to develop standardized SLA guidance,” the GAO said. “Specifically, officials at GSA’s Office of the CIO reported that the agency had relied on guidance related to alignment with FedRAMP rather than creating separate guidance to standardize SLA clauses. Officials stated this was because the CIO’s office intended that the agency would use standardized SLAs from its authorized FedRAMP cloud providers to address security requirements.”
The final OMB mandate — to ensure continuous visibility in high-value asset contracts — has been completely adopted by 11 agencies: the departments of Commerce, Defense, Education, Interior, State, HHS and DHS, as well as NASA, OPM, SSA and the Small Business Administration, while NSF and the Department of Agriculture have accomplished some of the goals. That requirement, GAO noted, is intended to protect “systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise.”
The watchdog delivered one recommendation to the CIO Council — to gather and distribute examples of guidance on cloud service level agreements and contract language — and another 46 to 18 agencies tied to OMB’s requirements. According to the GAO, 14 agencies agreed with all recommendations, the CIO Council and three others neither agreed nor disagreed, and the Department of Education disagreed with a recommendation.