The Treasury Inspector General for Tax Administration criticized how the IRS oversees its cloud infrastructure, particularly where it concerns vendor contracts.
The
So then, TIGTA went to the IRS's Cloud Management Office, which migrates projects to the cloud. CMO management, though, said they were unable to provide any of the cloud services contracts because they do not provide oversight of them.
After this, inspectors went to the IRS Strategic Supplier Management, whose purpose is to support the IRS's strategic management of information technology acquisitions and minimizes risk in the acquisition process. They were able to provide the cloud services contracts for an additional 32 cloud applications. Finally, TIGTA requested that the cloud application authorizing officials, who are listed on the Cloud Inventory Report, identify and provide the cloud services contracts, and they were able to provide the contracts for another nine applications.
This left two that were not found. As of the release of this inspection report, they still haven't been found.
TIGTA faulted the IRS for how it organizes its cloud service contracts. A major issue is that the OCPO does not have a process to track cloud services contracts, and contracting officers did not always store cloud services contracts in the Folders Management module as required. OCPO management also did not offer guidance or training to contracting officers to support uniformity when processing cloud service contracts, despite regulations requiring they do so.
"Rather, they rely on the contracting officers to obtain this knowledge through guidance from other experienced contracting officers or professional training certifications," said TIGTA. "As a result, the OCPO must make various and time-consuming queries of the Procurement System to identify the cloud services contracts."
TIGTA also noted that even among the contracts they could identify, the IRS could not determine the value for 45% of them. Cloud services contracts, including contract modifications, may include the purchase of other information technology services and products. The IRS does not have a process to track detailed contract data, specific contract values and obligations associated with each cloud application are not readily identified and determined, said TIGTA.
Inspectors also criticized the contracting process itself. All contracts are meant to have service-level agreements that define the level of performance expected from a service provider, how that performance will be measured, and what enforcement mechanisms will be used to ensure that specified service levels are achieved. TIGTA noted that the IRS followed proper SLA procedure when it came to cybersecurity, though other areas were much less consistent:
- Two cloud services contracts included nine SLAs, each with an associated penalty.
- One cloud services contract did not include any SLAs or associated penalties.
- One cloud services contract included an SLA that required the cloud application provide "high availability," defined as having operations available 24 hours a day and seven days a week (99.9% of the time). However, the SLA did not specify any performance reporting or monitoring frequency, and there were no associated penalties for not meeting the service level.
- One cloud services contract included seven SLAs, each with an associated penalty for not meeting the service level. One service level was not met in September 2022, and the IRS assessed a penalty. The penalty for not meeting the service level was equal to 3% of the monthly cost for the web hosting service, calculated to be $1,017. However, as of May 2023, the IRS had not yet collected the penalty.
"OCPO management stated that instead of including specific SLAs, they default to their ability to post negative comments about the contractor in the Contractor Performance Assessment Reporting System following each contract period of performance or to terminate the contract entirely for severe deficiencies," said the report.
TIGTA also said the IRS, despite requirements to do so, did not pass contracts through the Cloud Front Door process. The CFD process serves as the IRS's "on-ramp" to the cloud and is the CMO's centralized processing function for all applications migrating to the cloud. The CMO also manages the Enterprise Cloud Program, a cross-functional program responsible for establishing enterprise-wide cloud capabilities, building the IRS's multicloud system, and providing services to cloud-based projects.
Because the IRS, however, does not centrally manage cloud contracts, the CFD process was routinely bypassed, which could carry cybersecurity implications. Further, because of this lack of centralized management, the IRS is unable to provide an accurate inventory of cloud applications. The IRS said in August that the CMO was officially phased out and would be transitioning to the Enterprise Cloud Architecture and Design office to better align with the IRS's enterprise goals and modernization efforts.
The report also said the IRS was not following the documentation requirements of the FedRAMP program, which mandates continuous cybersecurity monitoring for applications.
TIGTA recommended that the IRS:
- Develop a process to track cloud services contracts and to determine the contract values by cloud application;
- Consistently incorporate the SLAs, penalties and applicable contract clauses into cloud services contracts;
- Clarify in a formal policy that applications migrating to the cloud are required to engage and be processed centrally;
- Ensure that all applications operating in the cloud have obtained governance board approval; and
- Implement the new security review guidance for continuous monitoring.
The IRS agreed with all the recommendations. "Cloud computing is a major part of IRS operations today, and we expect cloud computing will continue to play an important role in the agency's technology transformation moving forward," wrote IRS acting chief information officer Kaschit Pandya and chief procurement officer Todd Anthony in response to the report. "The IRS leverages cloud-based technologies and embraces modern technology practices — resulting in major improvements to our legacy systems — but more work remains."
Steven Mezzio, author of the book
"These findings highlight the ongoing challenges many (perhaps most) institutions face in implementing proper cloud governance, including defining roles, responsibilities, accountability, and oversight over the contractual terms for sharing responsibility for cloud governance with third-party cloud service providers (CSPs) and managed service providers (MSPs)," said Mezzio, who is also an accounting professor at Pace University. "This disruption shines a bright light on how best to optimize cloud opportunities while at the same time governing the cloud effectively, securely, responsibly, and practically within an institution's strategy and governance ecosystem."