The Defense Department failed to create a strategy for implementing its 2012 cloud computing policy, causing the department to miss out on many of the benefits offered by cloud services, according to an Inspector General report issued Dec. 4.
The 2012 policy outlined how cloud services should be purchased and managed, including setting up the Defense Information Systems Agency as the central broker. However, the policy lacked specifics on who was responsible for its execution and failed to establish metrics for measuring progress.
"Although the DoD CIO issued a cloud computing strategy in July 2012, as of June 2014, elements of that strategy were not fully executed," the IG wrote in its report. "For example, DoD did not fully develop specific skills training for the acquisition and contract specialists who procure cloud computing services and did not fully develop cloud service broker management capabilities."
This led to missed opportunities for cost savings through strategic purchasing and potential increases to cybersecurity.
RELATED
Special Section: What's Next in DoD Cloud
New DoD cloud policy delayed
DoD rescinds DISA cloud-broker memo
The Office of the Chief Information Officer (OCIO) initially planned to lay out an implementation strategy in 2012 but decided it would be covered under the Joint Information Environment framework.
The OCIO pointed to the JIE Master Schedule — specifically the Plan of Action and Milestones — as addressing the implementation plan, though the IG was not satisfied.
"DoD CIO could not provide a copy of the Master Schedule and could not otherwise show that roles and responsibilities for skills training and broker management capabilities were designated and that resources and milestones were assigned," the report stated.
The IG also found that DoD agencies purchased cloud products that were not approved by the department without obtaining permission first. This was a direct result of there not being a cloud waiver process, according to the IG.
The OCIO agreed with the recommendation for a cloud computing waiver process, however it disagreed that the JIE plan was insufficient and argued that the department was getting the most out of its cloud services.
Acting Principal Deputy CIO David De Vries told the IG, "Development of skills training for acquisition and contract specialists and the maturation of cloud broker management capabilities are evolving at a rate appropriate for DoD to address cybersecurity risks and integration challenges."
De Vries pointed to the new cloud policy being developed — expected to drop in early December — and acquisition training workshops held in 2014.
The IG stated the response was not comprehensive enough and gave the OCIO until Jan. 5 to submit more substantial comments.
"To help ensure the cloud computing strategy is implemented in a timely manner, DoD needs a mechanism to plan and prioritize efforts, monitor progress and provide accountability through development of an implementation plan," the IG concluded.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
