The Small Business Administration Office of the Inspector General, or SBA OIG, raised concerns about oversight of the agency’s cloud migration, contracts with cloud providers, and ability to move data to other services in a report released April 9.
SBA is well-known for its embrace of cloud, with the agency piloting programs and moving rapidly. The report notes that SBA’s cloud initiative was cemented in the agency’s strategic plan. But the inspector general’s office found several gaps in compliance with Federal policies during the transition.
On the agency’s cloud migration, the OIG found that SBA has weaknesses in following policies in four main areas–monitoring its inventory, ensuring needed cybersecurity controls, efficiently moving data among clouds, and documenting cost savings, issuing eight recommendations in total.
SBA did not consistently update and monitor its cloud system inventory, according to the report. The CIO’s office relied primarily on the Cyber Security Asset Management (CSAM) tool to manage its inventory, but CSAM was not fully utilized across the agency, and 35 percent of systems records could not be accessed through CSAM due to an inaccurate inventory. Additionally, OIG found that the vulnerability and baseline scanning teams were not using their results to update system security plans in CSAM, which could leave plans out of date.
The report recommended that SBA update and reconcile CSAM on a periodic basis, and instruct vulnerability and baseline security teams to use CSAM to update security plans, both recommendations that SBA agreed with.
The OIG office also found SBA’s monitoring of cloud service providers lacking. Of the three cloud systems tested, all had vulnerabilities in identity and access management and contingency planning, and certain systems also had deficiencies on risk management and configuration management.
The report recommended that SBA ensure cloud service providers include these controls in their security processes, which SBA agreed with.
The report noted that while SBA included cost as a justification for moving to cloud and set a goal for cost savings and avoidance at $10.8 million, provided documentation only added up to eight million, and SBA could not provide business cases to serve as a baseline estimate for multiple cloud systems. The report also chided SBA for not including service level agreements (SLAs) in cloud contracts for five systems.
In its recommendations, OIG called on SBA to develop a process for capturing both performance goal estimates and actual costs, document cloud migration decisions through approval of business cases, and ensure controls like SLAs clearly define responsibilities and metrics. SBA fully agreed to document business cases and partially agreed on the other recommendations, and the report classified all recommendations as resolved.
Finally, the report also picks out the lack of any language in contracts with cloud providers about moving data efficiently to other providers, and SBA’s lack of documented controls on interoperability, portability, and data ownership, referring to the NIST (National Institute of Standards and Technology) Cloud Computing Standards Roadmap as guidance.
OIG recommended developing policies and procedures for interoperability, portability, and data ownership, and specifying those aspects in reviewed contracts as well. SBA partially agreed, as it was already creating these policies, and OIG accepted the suggestions as resolved.