July 24, 2014
x-^tD sr^v^
*	 U.S. Environmental Protection Agency	14-P-0323
mm "z Office of Inspector General
mZ I
At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA),
Office of Inspector General
(OIG), conducted this audit to
evaluate select agency efforts
to adopt cloud computing
technologies and to review
executed contracts between
the agency and cloud service
providers for compliance with
applicable standards. This audit
was conducted as part of a
governmentwide initiative by
the Council of the Inspectors
General on Integrity and
Efficiency (CIGIE). Information
gathered during the subject
audit will be incorporated into a
governmentwide report to be
released by CIGIE.
The report addresses
the following EPA goal
or cross-agency strategy:
 Embracing EPA as a high-
performing organization.
EPA Is Not Fully Aware of the Extent of Its Use
of Cloud Computing Technologies
For further information,
contact our public affairs office
at (202) 566-2391.
The full report is at:
EPA officials lack
confidence that
offices recognize
its full use of cloud
computing for
agency operations.
What We Found
The CIGIE developed a survey and asked its members
to contact their respective agencies and collect
information about the deployment of cloud computing
technologies. Additionally, CIGIE provided a matrix
template for each Inspector General to complete to
standardize the results of the CIGIE collaboration effort,
and to assist with the completion of the consolidated
report. In consultation with the CIGIE, the EPA OIG selected one system to
review and completed the provided matrix with test results.
The EPA OIG selected the current contract for the Office of Water's Permit
Management Oversight System (PMOS) for testing. In 2012, the Office of Water
used the Office of Acquisition Management to contract for a vendor to maintain
and host the PMOS application. Although the PMOS was not included in the
EPA's response document to the CIGIE survey, the PMOS is currently hosted by
an EPA subcontractor whose hosting environment has cloud characteristics. The
subcontractor's hosting environment also appeared to meet the definition of a
"cloud," as defined by the National Institute of Standards and Technology (NIST)
Special Publication 800-145, The NIST Definition of Cloud Computing.
The PMOS enables the EPA to track general and tribal permits at a summary
level. The PMOS captures limited information on these permits, which enables
the EPA to track the universe and status of these permits. The PMOS is used to
prepare National Pollutant Discharge Elimination System reports for the Office of
Management and Budget.
Our audit work disclosed management oversight concerns regarding the EPA's
use of cloud computing technologies. These concerns highlight the need for the
EPA to strengthen its catalog of cloud vendors and processes to manage vendor
relationships to ensure compliance with federal security requirements. In
	The EPA did not know when its offices were using cloud computing.
	The EPA should improve the oversight process for prime contractors
(to include ensuring subcontractors comply with federal security
requirements and establishing service-level agreements for cloud services).
	There is no assurance that the EPA has access to the subcontractor's
cloud environment for audit and investigative purposes.
	The subcontractor is not compliant with the Federal Risk and Authorization
Management Program.
The EPA indicated the provided matrix is factually correct. The EPA response
and our comments are at appendix B.