NASA auditors have released a damning report criticising NASA’s move to the cloud, saying weaknesses in IT governance and risk management practices have “impeded” the potential cloud programs were meant to bring.
It criticised the Office of the Chief Information Officer (OCIO), saying that on five occasions cloud contracts were signed without the OCIO ensuring they addressed business and IT security risks that come with running services out of the Cloud.
NASA, spends about US$1.5bn on its portfolio of IT assets, including 550 information systems used for controlling spacecraft and analytics data collection. Only a fraction of this is used for the Cloud.
The agency was one of the pioneers of the cloud with its Nebula program which saw NASA build a private cloud in 2009 at the Ames Research Center for high-capacity data storage services for NASA centers and external customers.
This program was closed five years later following a five-month test benchmarking Nebula capabilities over those of Amazon and Microsoft.
“The test found that public clouds were more reliable and cost effective and offered much greater computing capacity and better IT support services than Nebula,” the report said.
The office said NASA now spends less than 1% of its annual budget on cloud computing, but it expects this to increase in the next five years with up to 75% of its new programs estimated to be run out of the Cloud – public and private.
“As legacy systems are modernized, up to 40% of them could be moved to the Cloud,” The report said.
“As NASA moves more of its systems and data to the Cloud, it is imperative that the agency strengthen its governance and risk management practises to safeguard its data while effectively spending its IT funds.”
The report comes at a time when the US Government is heavily pushing the use of cloud computing services to save money through its Federal Risk Authorization Management Program (FedRamp) program which by June 2014 dictates that every agency must use at least one FedRAMP-approved cloud service provider.
The Office of the Management and Budget (OMB) has, in the past, requested that each agency use at least one cloud service – by December 2011 – and two by June 2012. These are both goals that NASA has hit.
But the report said NASA’s approach to moving to the cloud has been lacking.
“Several NASA Centers moved agency systems and data into public clouds without the knowledge or consent of the agency’s Office of the Chief Information Officer,” it said.
“Moreover, on five occasions, NASA acquired cloud computing services using contracts that failed to fully address the business and IT security risks unique to the cloud environment.”
Auditors found that two systems, operating “moderate-impact” systems, ran in the Cloud for two years without authorization, contingency plans or security plans and without tests to security system controls.
“This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure the cloud providers met Agency IT security requirements.”
The agency had developed a contract that was used for acquiring cloud services from public cloud providers but this had not been put forward as a mandatory process.
“We found that the agency CIO was not aware of all the cloud services NASA organisations had acquired or which service providers they used,” the audit report said.
“In addition, only three of 15 Center and Mission Directorate CIOs we surveyed stated that coordination with the Agency OCIO was necessary before moving NASA systems and data to public clouds.”
The report acknowledged that part of the problem with NASA’s cloud deployments had come about as a result of a lack of communication through the ranks and the lack of an enterprise-wide cloud computing strategy, or processes for evaluating which systems NASA moves to the Cloud.
As a result, auditors recommended NASA’s CIO develops a cloud computing program management office to define standards, approve, coordinate and oversee agency-wide cloud acquisition programs and the deployment of cloud services.
It said NASA’s CIO has concurred with the recommendations and has proposed corrective actions.