While noting that NASA has been a pioneer in cloud computing, "having established its own private cloud-computing data center called Nebula in 2009 at the Ames Research Center (Ames)," the Office of Inspector General (OIG) audit levies four particular criticisms of its current state of cloud adoption.
The first is that governance needs to be strengthened. "We found that the Agency OCIO [office of the chief information officer] was not aware of all the cloud services NASA organizations had acquired or which service providers they used." Furthermore, only 3 of 15 agency CIOs stated that coordinating with the OCIO was necessary before moving into the cloud. In short, governance is poor if not absent.
The second is that risk management practices were ineffective. "We reviewed five NASA contracts for the acquisition of cloud-computing services and found that none came close to meeting recommended best practices for ensuring data security," says the audit. As a result, it says, "systems and data covered by these five contracts are at an increased risk of compromise."
The third is that one of the two 'moderate-impact' cloud services fails to meet security standards. "We found that the cloud service used to deliver Internet content for more than 100 NASA internal and public-facing websites had been operating for more than 2 years without written authorization or system security or contingency plans." As a result, said the audit, "A breach of this moderate-impact cloud service could result in a serious disruption to NASA operations."
The fourth is that while a contract with InfoZen meets FedRAMP standards, NASA organizations are not required to leverage the contract to obtain new cloud services.
Right now NASA spends a mere $10 million of its IT budget – or to put that into context, less than 1% of its annual $1.5 billion IT budget – on cloud computing. But within 5 years it expects that up to 75% of new programs will begin in the cloud. "As NASA moves more of its systems and data to the cloud, it is imperative that the Agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."
However, all's well that ends well. OIG made six specific recommendations to NASA, and NASA in turn has agreed to comply, subject to the availability of funds from within the $1.5 billion, with all six.