Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements
GAO-24-106137
Published: Sep 10, 2024. Publicly Released: Sep 20, 2024.
Fast Facts
In 2019, the Office of Management and Budget established 5 key requirements for agencies related to procuring secure, cost-effective cloud services.
As of July 2024, the 24 major agencies set policies and guidance that addressed some of these requirements but not others. For example, all the agencies had established guidance to ensure their chief information officer oversees agency modernization efforts.
But most hadn't established guidance on service level agreements—which define the levels of service and performance the agency expects its cloud providers to meet.
Our 47 recommendations address these and other issues.
Highlights
What GAO Found
Agencies had mixed results in setting policies and guidance that addressed the five key procurement requirements established by the Office of Management and Budget (OMB) in its 2019 Cloud Smart Strategy. Specifically, as of July 2024, all 24 agencies had established guidance to ensure the agency Chief Information Officer (CIO) oversaw modernization and almost all had guidance in place to improve their policies and guidance related to cloud services. However, most agencies did not establish guidance related to service level agreements (SLA), which define the levels of service and performance that the agency expects its cloud providers to meet. In addition, nearly one-third of agencies did not have guidance to ensure continuous visibility in high value assets (systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise).
Table 1: Extent to Which Federal Agencies' Guidance Has Addressed the Five Procurement-Related Cloud Computing Requirements, as of July 2024
|
Requirement |
Fully Addressed |
Partially Addressed |
Not Addressed |
|---|---|---|---|
|
Ensure the agency's chief information officer oversees modernization. |
24 |
0 |
0 |
|
Iteratively improve agency policies and guidance. |
23 |
0 |
1 |
|
Have cloud service level agreement in place. |
6 |
10 |
8 |
|
Standardize cloud contract service level agreements |
9 |
2 |
13 |
|
Ensure continuous visibility in high value asset contracts.a |
11 |
2 |
5 |
Legend: Fully addressed = The agency provided evidence that addressed the requirement. Partially addressed = The agency provided evidence that it had addressed some, but not all of the requirement. Not addressed = The agency did not provide evidence that it had addressed any of the requirement.
Source: GAO analysis of agency documentation. | GAO-24-106137
aThe requirement was not applicable for six agencies because high value assets were not stored in the cloud.
Agency officials provided different reasons as to why guidance had not been developed for the requirements. For example, six agencies reported that they had used SLAs provided by the cloud service providers. One agency reported that it had included language in its blanket purchase agreement and two agencies reported they were in the process of finalizing guidance. Regarding high value asset guidance, one agency reported that it had included language in their contracts to meet the requirement but had not developed corresponding guidance. One agency reported that it had relied on standard acquisition practices and had not developed separate processes for these assets.
In addition, agency officials reported that additional guidance, including standardized SLA language and high value asset contract language, would be helpful. The CIO Council, as a forum for improving agency practices, could facilitate the collection of examples of guidance and language from agencies that have met these requirements. By sharing examples of agency guidance and contract language related to the SLA and high value asset requirements, agencies would be able to more readily address OMB's requirements.
Why GAO Did This Study
Cloud computing enables on-demand access to shared computing resources, providing services more quickly and at a lower cost than having agencies maintain these resources themselves. In 2010, OMB began requiring agencies to shift their IT services to cloud services when feasible. In 2019, OMB updated its Federal Cloud Computing Strategy (called Cloud Smart) and established five key cloud procurement requirements.
GAO was asked to examine agencies' efforts to implement OMB's Cloud Smart initiative. This report assesses the extent to which agencies' cloud guidance addresses OMB's five Cloud Smart procurement requirements. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement and security policies, guidance, and SLAs. GAO then assessed the results of the analysis against the five requirements. GAO also interviewed officials in the 24 agencies' Offices of the CIO.
Recommendations
GAO is making one recommendation to the CIO Council to collect and share examples of guidance on cloud SLAs and contract language. GAO is also making 46 recommendations to 18 agencies to develop or update guidance related to OMB's Cloud Smart procurement requirements. Fourteen agencies agreed with all recommendations, one agency did not explicitly agree but provided planned actions, the CIO Council and three agencies neither agreed nor disagreed, and one (Department of Education) disagreed. GAO continues to believe its recommendation to Education is warranted, as discussed in this report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Chief Information Officers Council | The CIO Council, working with its chair, the Office of Management and Budget's Deputy Director for Management, should collect and share examples of agency guidance and contract language related to OMB's requirements in the Federal Cloud Computing Strategy on: (1) the four key SLA elements, (2) standardizing SLAs, and (3) ensuring that contracts affecting federal agencies' HVAs, including those managed and operated in the cloud, include requirements that provide agencies with continuous visibility of the asset. (Recommendation 1) |
The CIO Council has not yet taken any actions to implement our recommendation. We will continue to monitor the CIO Council's progress in implementing this recommendation.
|
| Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance on standardizing cloud SLAs. (Recommendation 2) |
In November 2024, an official from the Department of Agriculture's (Agriculture) Office of the Chief Information Officer reported that the department was working to publish an updated cloud policy that would address our recommendation but did not have a timeframe on when the policy would be finalized. We will continue to monitor Agriculture's progress in implementing this recommendation.
|
| Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 3) |
In November 2024, an official from the Department of Agriculture's (Agriculture) Office of the Chief Information Officer reported that the department was working to publish an updated cloud policy that would address our recommendation but did not have a timeframe on when the policy would be finalized. We will continue to monitor Agriculture's progress in implementing this recommendation.
|
| Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 4) |
The Department of Agriculture (Agriculture) has not yet taken any actions to implement our recommendation. We will continue to monitor Agriculture's progress in implementing this recommendation.
|
| Department of Commerce | The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 5) |
The Department of Commerce (Commerce) agreed with and has addressed our recommendation. In November 2024, an official in Commerce's Office of the Chief Financial Officer provided a copy of the department's finalized guidance on service level agreement (SLA) cloud procurement best practices. The guidance included language regarding the continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. For example, the department's guidance noted that minimum service levels for each service, including penalties for not meeting these service levels, should be identified and the cloud provider should regularly report on these metrics. Further, the guidance specified that cloud provider's services should be in alignment with Federal Risk and Authorization Management Program (FedRAMP) and be integrated with the department's security operations center. By implementing our recommendation, Commerce is better positioned to ensure that SLAs are in place to govern the levels of service and performance the department expects when procuring cloud services from a vendor.
|
| Department of Commerce | The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance on standardizing cloud SLAs (Recommendation 6) |
The Department of Commerce (Commerce) agreed with and has addressed our recommendation. In November 2024, an official in Commerce's Office of the Chief Financial Officer provided a copy of the department's finalized guidance on service level agreement (SLA) cloud procurement best practices. The department's guidance noted that SLAs should include language related to e-discovery requirements, data retention, privacy, and destruction, incident handling, 3rd party certification of IT security program, and reducing vendor lock-in. By implementing our recommendation, Commerce is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
|
| Department of Education | The Secretary of Education should ensure that the CIO of Education updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 7) |
The Department of Education (Education) has not yet taken any actions to implement our recommendation. We will continue to monitor Education's progress in implementing this recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 8) |
In comments on our report, the Department of Energy (Energy) concurred with our recommendation and stated that it would form a working group to develop guidance that incorporated OMB's four required elements. We will continue to monitor Energy's progress in implementing this recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance regarding standardizing cloud SLAs. (Recommendation 9) |
In comments on our report, the Department of Energy (Energy) concurred with our recommendation and stated that the department's Office of the CIO would work with Office of Acquisition Management to develop guidance. We will continue to monitor Energy's progress in implementing this recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 10) |
In comments on our report, the Department of Energy (Energy) concurred with our recommendation and stated that it was still assessing the appropriate mechanism to document the requirement. We will continue to monitor Energy's progress in implementing this recommendation.
|
| Department of Energy | The Secretary of Energy should ensure that the CIO of Energy updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 11) |
In comments on our report, the Department of Energy (Energy) concurred with our recommendation and stated that the Office of the CIO and the Office of Acquisition Management would work to modify these contracts once language from the CIO Council was available. We will continue to monitor Energy's progress in implementing this recommendation.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the CIO of DHS updates its guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 12) |
In comments on our report, the Department of Homeland Security (DHS) concurred with our recommendation and stated that it would review its cloud computing practice requirements and strengthen its guidance by ensuring the guidance addressed OMB requirements. In November 2024, an official from DHS's Office of the CIO reported that the department intended to finalize its implementation plan and timeline by February 2025. We will continue to monitor DHS's progress in implementing this recommendation.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the CIO of DHS develops guidance regarding standardizing cloud SLAs. (Recommendation 13) |
In comments on our report, the Department of Homeland Security (DHS) concurred with our recommendation and stated that it would create, coordinate, and publish a new cloud services policy that would address the requirement for standardizing SLA language and practices. In November 2024, an official from DHS's Office of the CIO reported that the department intended to finalize its implementation plan and timeline by February 2025. We will continue to monitor DHS's progress in implementing this recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 14) |
In comments on our report, the Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included developing a service level agreement guidance framework for cloud services and training. HUD reported the department had a target completion date of December 2024 for these activities. We will follow up with HUD to ascertain whether the department has finalized its framework and training to address our recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance regarding standardizing cloud SLAs. (Recommendation 15) |
In comments on our report, the Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included developing a standardized service level agreed framework that incorporated best practices and aligned with Cloud Smart and industry standards. HUD reported the department had a target completion date of March 2025 for these activities. We will follow up with HUD to ascertain whether the department has finalized its framework to address our recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 16) |
In comments on our report, the Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included collaborating with internal stakeholders to define specific requirements for continuous visibility of HVAs in cloud contracts and incorporating the language intro contract templates. HUD reported the department had a target completion date of March 2025 for these activities. We will follow up with HUD to ascertain whether the department has finalized its guidance and templates to address our recommendation.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 17) |
In comments on our report, the Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included monitoring CIO Council updates for guidance regarding contractual language and working with stakeholders to update the contracts with language that meets OMB's requirements upon renewal or amendment. HUD reported the department had a target completion date of March 2025 for these activities. We will follow up with HUD to ascertain whether the department has finalized its activities to address our recommendation.
|
| Department of Justice | The Attorney General of the United States should ensure that the CIO of Justice updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 18) |
The Department of Justice (Justice) has not yet taken any actions to implement our recommendation. We will continue to monitor Justice's progress in implementing this recommendation.
|
| Department of Labor | The Secretary of Labor should ensure that the CIO of Labor develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 19) |
The Department of Labor (Labor) agreed with and has addressed our recommendation. In September 2024, a Labor official in the Office of the Assistant Secretary for Policy provided a copy of the department's new service level agreement (SLA) guidance. The guidance included language regarding the continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. For example, the department's guidance noted that the SLA should include the performance metrics the vendor shall use to determine the health and security of the services being delivered and a description of the plan and process the vendor will follow to detect, report, and remediate any non-compliance as well as the credits to be offered if non-compliance is identified. By implementing our recommendation, Labor is better positioned to ensure that SLAs are in place to govern the levels of service and performance the department expects when procuring cloud services from a vendor.
|
| Department of Labor | The Secretary of Labor should ensure that the CIO of Labor develops guidance regarding standardizing cloud SLAs. (Recommendation 20) |
The Department of Labor (Labor) agreed with and has addressed our recommendation. In September 2024, a Labor official in the Office of the Assistant Secretary for Policy provided a copy of the department's new service level agreement (SLA) guidance. The department's guidance noted that SLAs should include language related to ensuring Labor's cybersecurity and encryption requirements are addressed, responding to breaches and unauthorized disclosures of data, monthly reviews of cybersecurity configurations, and other privacy requirements. By implementing our recommendation, Labor is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
|
| Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 21) |
In November 2024, an official from the Department of Transportation's (Transportation) Audit Relations and Program Improvement office reported that the department had begun a review to determine the appropriate guidance that would address the recommendation. The official reported that the department expected to complete these activities in fiscal year 2025. We will continue to monitor Transportation's progress in implementing this recommendation.
|
| Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation updates its guidance regarding standardizing cloud SLAs. (Recommendation 22) |
In November 2024, an official from the Department of Transportation's (Transportation) Audit Relations and Program Improvement office reported that the department had begun a review to determine the appropriate guidance that would address the recommendation. The official reported that the department expected to complete these activities in fiscal year 2025. We will continue to monitor Transportation's progress in implementing this recommendation.
|
| Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 23) |
In November 2024, an official from the Department of Transportation's (Transportation) Audit Relations and Program Improvement office reported that the department will ensure its guidance concerning service level agreements is applicable to all IT contracts, including high value assets. The official reported that the department expected to complete these activities in fiscal year 2025. We will continue to monitor Transportation's progress in implementing this recommendation.
|
| Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 24) |
In November 2024, an official from the Department of Transportation's (Transportation) Audit Relations and Program Improvement office reported that the department had begun a review of contracts supporting high value assets and a best approach would be identified once a review of all contract boundaries was identified. The official reported that the department expected to complete the review and implementation approach in fiscal year 2025. We will continue to monitor Transportation's progress in implementing this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and clear performance metrics. (Recommendation 25) |
The Department of Veterans Affairs (VA) has not yet taken any actions to implement our recommendation. We will continue to monitor VA's progress in implementing this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance regarding standardizing cloud SLAs. (Recommendation 26) |
The Department of Veterans Affairs (VA) has not yet taken any actions to implement our recommendation. We will continue to monitor VA's progress in implementing this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 27) |
The Department of Veterans Affairs (VA) has not yet taken any actions to implement our recommendation. We will continue to monitor VA's progress in implementing this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 28) |
The Department of Veterans Affairs (VA) has not yet taken any actions to implement our recommendation. We will continue to monitor VA's progress in implementing this recommendation.
|
| Environmental Protection Agency | The Administrator of EPA should ensure that the CIO of EPA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and remediation plans for non-compliance. (Recommendation 29) |
In comments on our report, the Environmental Protection Agency (EPA) concurred with our recommendation and stated that it would evaluate the agency's current performance metrics and identify any gaps or improvements required to support the agency's mission. EPA said that new SLA metrics and updates would be negotiated with the service provider and incorporated into existing contracts. We will continue to monitor EPA's progress in implementing this recommendation.
|
| Environmental Protection Agency | The Administrator of EPA should ensure that the CIO of EPA updates guidance regarding standardizing cloud SLAs. (Recommendation 30) |
In comments on our report, the Environmental Protection Agency (EPA) concurred with our recommendation and stated that the agency will evaluate existing metrics across existing contracts to identify standard requirements that have evolved organically and incorporate them into guidance related to cloud statements of work, including security requirements already established. The agency stated that it will also develop guidance, including standardized clauses to be incorporated into all cloud statements of work and recommended language that may be tailored to specific cloud providers. We will continue to monitor EPA's progress in implementing this recommendation.
|
| General Services Administration | The Administrator of GSA should ensure that the CIO of GSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed for the agency. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 31) |
The General Services Administration (GSA) agreed with and has addressed our recommendation. In November 2024, a GSA official in the Office of the Chief Financial Officer provided a copy of the agency's updated guidance on security and privacy requirements for IT acquisition efforts, which included language regarding remediation plans for non-compliance. For example, the agency's guidance noted that service level agreements (SLA) would specify the penalties for not meeting service levels stated in the agreements and identify the associated responsibility of all stakeholders for these activities. By implementing our recommendation, GSA is better positioned to ensure that SLAs are in place to govern the levels of service and performance the agency expects when procuring cloud services from a vendor.
|
| General Services Administration | The Administrator of GSA should ensure that the CIO of GSA develops guidance regarding standardizing cloud SLAs. (Recommendation 32) |
The General Services Administration (GSA) agreed with and has addressed our recommendation. In November 2024, a GSA official in the Office of the Chief Financial Officer provided a copy of the agency's updated guidance on security and privacy requirements for IT acquisition efforts. The agency's guidance included language related to ensuring service metrics were calculated and communicated in acquisitions more explicitly. In addition, GSA's guidance included clauses related to IT security and privacy requirements, particularly for cloud vendors providing software as a service, and clauses requiring vendors to comply with Federal Risk and Authorization Management Program (FedRAMP) service level agreement (SLA) requirements. By implementing our recommendation, GSA is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
|
| National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 33) |
In comments on our report, the National Science Foundation (NSF) concurred with our recommendation and stated that the agency was working to further formalize and strengthen guidance for cloud acquisitions to incorporate the elements noted in our recommendation. We will continue to monitor NSF's progress in implementing this recommendation.
|
| National Science Foundation | The Director of the NSF should ensure that the CIO of NSF develops guidance regarding standardizing cloud SLAs. (Recommendation 34) |
In comments on our report, the National Science Foundation (NSF) concurred with our recommendation and stated that the agency was working to further formalize and strengthen guidance for cloud acquisitions to incorporate the elements noted in our recommendation. We will continue to monitor NSF's progress in implementing this recommendation.
|
| National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 35) |
In comments on our report, the National Science Foundation (NSF) concurred with our recommendation and stated that the agency was working to further formalize and strengthen guidance for cloud acquisitions to incorporate the elements noted in our recommendation. We will continue to monitor NSF's progress in implementing this recommendation.
|
| National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 36) |
The National Science Foundation (NSF) has not yet taken any actions to implement our recommendation. We will continue to monitor NSF's progress in implementing this recommendation.
|
| Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 37) |
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to update its service level agreement guidance (SLA) and make sure it included all four required elements. We will continue to monitor NRC's progress in implementing this recommendation.
|
| Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance regarding standardizing cloud SLAs. (Recommendation 38) |
: The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to review its current list of recommended clauses and other resources for the procurement to make sure it includes all four required elements for cloud computing services. When procuring cloud computing services through third party resellers, the official noted that the agency will ensure that service level agreements are extended to the NRC, not just the reseller. We will continue to monitor NRC's progress in implementing this recommendation.
|
| Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 39) |
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to update its statement of work templates to include this requirement and also to include language in agency guidance that would require the agency to be responsible for monitoring NRC's high value asset systems and the continuous visibility needed to perform these activities. We will continue to monitor NRC's progress in implementing this recommendation.
|
| Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 40) |
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to update its existing high value asset contracts to provide the agency with continuous visibility of the asset. We will continue to monitor NRC's progress in implementing this recommendation.
|
| Office of Personnel Management | The Director of OPM should ensure that the CIO of OPM updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required element for SLAs: remediation plans for non-compliance. (Recommendation 41) |
In comments on our report, the Office of Personnel Management (OPM) concurred with our recommendation and stated that the agency would issue a policy to provide guidance to address it. We will continue to monitor OPM's progress in implementing this recommendation.
|
| Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance that requires a periodic review of the agency's policies related to cloud services, including any technical guidance and business requirements, to determine if improvements should be made. (Recommendation 42) |
In comments on our report, the Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. We will continue to monitor SBA's progress in implementing this recommendation.
|
| Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 43) |
In comments on our report, the Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. We will continue to monitor SBA's progress in implementing this recommendation.
|
| Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance regarding standardizing cloud SLAs. (Recommendation 44) |
In comments on our report, the Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. We will continue to monitor SBA's progress in implementing this recommendation.
|
| Social Security Administration | The Commissioner of SSA should ensure that the CIO of SSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 45) |
The Social Security Administration (SSA) has not yet taken any actions to implement our recommendation. We will continue to monitor SSA's progress in implementing this recommendation.
|
| U.S. Agency for International Development | The Administrator of USAID should ensure that the CIO of USAID updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 46) |
The U.S. Agency for International Development (USAID) agreed with and has addressed our recommendation. In October 2024, a USAID official in the Office of the CIO provided a copy of the agency's updated guidance on information security requirements for acquisition of unclassified information technology, which included language regarding the remediation plans for non-compliance. For example, the agency's guidance noted that service level agreements (SLA) will specify the level of performance, how the performance will be measured, and what enforcement mechanisms will be used to ensure the specified levels are achieved, which would address areas of non-compliance. By implementing our recommendation, USAID is better positioned to ensure that SLAs are in place to govern the levels of service and performance the agency expects when procuring cloud services from a vendor.
|
| U.S. Agency for International Development | The Administrator of USAID should ensure that the CIO of USAID develops guidance regarding standardizing cloud SLAs. (Recommendation 47) |
The U.S. Agency for International Development (USAID) agreed with and has addressed our recommendation. In October 2024, a USAID official in the Office of the CIO provided a copy of the agency's updated guidance on information security requirements for acquisition of unclassified information technology. The agency's guidance noted that service level agreements (SLA) should include language related to ensuring data ownership, licensing, and disposition are met as well as requirements for inspection and audit activities. Further the guidance included language for requirements related to third party security assessments in accordance with the Federal Risk and Authorization Management Program (FedRAMP). By implementing our recommendation, USAID is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
|
Full Report
GAO Contacts
Public Inquiries
Topics
BudgetsBusiness systems modernizationChief financial officersChief information officersCloud computingFederal agenciesGovernment procurementIT investmentsInformation technologyBest practices