Audit of USAID's Progress in Adopting Cloud Computing Technologies

Recommendations

Recommendation
1

The Chief Information Officer review the permissions within the Google Apps for business applications and revise any that are necessary to protect any personally identifiable information and sensitive but unclassified information from being shared improperly.

Questioned Cost
0
Close Date
Recommendation
2

The Chief Information Officer document and implement procedures to review permissions periodically within the Google Apps for business applications to identify and correct any improperly shared personally identifiable information and other sensitive information.

Questioned Cost
0
Close Date
Recommendation
3

The Chief Information Officer document and implement a training program for users of the Google Apps for business applications that includes awareness of the risks of disclosing sensitive information and preventive measures to avoid improper disclosure.

Questioned Cost
0
Close Date
Recommendation
4

The Chief Information Officer review and update the May 26, 2011, privacy impact assessment for Google Apps for business to reflect the types of information that the Google applications collect, maintain, and disseminate, and how the information is used.

Questioned Cost
0
Close Date
Recommendation
5

The Chief Information Officer document and implement a process for confirming that complete and detailed cost-benefit analyses are prepared for all proposed cloud computing service contracts and that investment documents, including cost estimates and validations, are maintained in accordance with Office of Management and Budget Circular A-130, the Federal Acquisition Regulation Subpart 39, and Automated Directives System 577.

Questioned Cost
0
Close Date
Recommendation
6

the Chief Information Officer document and implement a process for confirming that all documents supporting post-implementation reviews of cloud computing service contracts are maintained as required in Automated Directives System 577.

Questioned Cost
0
Close Date
Recommendation
7

The Chief Information Officer update USAID's inventory of cloud computing contracts so the inventory list is complete.

Questioned Cost
0
Close Date
Recommendation
8

The Chief Information Officer document and implement procedures for maintaining a complete, accurate inventory of the Agency's cloud computing contracts.

Questioned Cost
0
Close Date
Recommendation
9

The Director, Office of Acquisition and Assistance, document and implement acquisition policies and procedures to comply with the IT Project Governance Manual, and require USAID missions, bureaus, and offices to get the Chief Information Officer's approval before acquiring and using cloud computing services.

Questioned Cost
0
Close Date
Recommendation
10

The Director, Office of Acquisition and Assistance, develop and establish cloud service contracting requirements in accordance with the best practices for the following items: terms of service, service level agreements, nondisclosure agreements, and investigative access.

Questioned Cost
0
Close Date
Recommendation
11

The Chief Information Officer modify USAID contract no. AID-CIO-O-13-00054 with MiCore Solutions Inc. for Google Apps for business to include: terms of service and assign a USAID official to monitor USAID's compliance with the terms.A service level agreement that addresses scheduled service outages, data
preservation responsibilities, and service agreement change. A signed nondisclosure agreement by the cloud service provider. A requirement for investigative access in accordance with best practices.

Questioned Cost
0
Close Date
Recommendation
12

The Chief Information Officer modify USAID contract no. AID-CIO-M-11-00008 with Terremark Federal Group Inc. for Terremark Services to include:an assigned USAID official to monitor USAID's compliance with the terms of service. An executed service level agreement with the cloud service provider that addresses remedies to be paid when services are not available. A signed nondisclosure agreement by the cloud service provider. A requirement for investigative access in accordance with best practices.

Questioned Cost
0
Close Date
Recommendation
13

The Chief Information Officer modify USAID contract no. AID-CTA-TO-13-00001/2 with Triad Technology Partners Inc. and Immix Technology Inc. for the Intranet Modernization Initiative to include:terms of service and assign a USAID official to monitor USAID's compliance with the terms. An executed service level agreement with the cloud service provider that addresses schedule service outages, data preservation responsibilities, service agreement changes, and remedies to be paid when services are not available. A signed nondisclosure agreement by the cloud service provider. A requirement for investigative access in accordance with best practices.

Questioned Cost
0
Close Date
Recommendation
14

The Chief Information Officer establish or revise target dates in Google Apps for business's plan of action and milestones for action items that do not have a due date or are past-due.

Questioned Cost
0
Close Date
Recommendation
15

The Chief Information Officer modify the contract for Google Apps for business to require that the cloud service provider be certified by the Federal Risk and Authorization Management Program, or move the service to a certified provider.

Questioned Cost
0
Close Date
Recommendation
16

The Chief Information Officer complete the Federal Risk and Authorization Management Program Agency Authorization for Huddle and Tibbr for the Intranet Modernization Initiative by September 30, 2015, per the contract.

Questioned Cost
0
Close Date
Recommendation
17

The Chief Information Officer assess and authorize security controls for Salesforce's CRM cloud-based system.

Questioned Cost
0
Close Date
Recommendation
18

The Chief Information Officer update the Frequency of Reviews column in Automated Directives System, Chapter 577, Table 1 -Investment Funding Category Documentation and Review Requirements, by requiring post-implementation reviews for Investment Funding Category I and II as required by the Office of Management and Budget Circular A-130.

Questioned Cost
0
Close Date