Audit Finds Department of Defense Cloud Use Poorly Defined and Tracked

The US Department of Defense cannot show cost benefits, or even adequate security from cloud services, because it has no standard definition for what they are, and no central account of cloud contracts, according to an audit by the DOD inspector general. The audit was initially meant to assess the cost benefits DOD is achieving from cloud computing, but the report instead identifies the barriers to any such assessment, and how to remove them.

According to the audit report, the DOD uses the National Institute of Standards and Technology’s cloud computing definition (PDF). That definition proved problematic for branch CIOs, who claimed a lack of clarity and disagreed about whether all characteristics identified by NIST were necessary to be considered a cloud service.

The audit also found wide divergence between service contracts as provided by department and DOD CIO representatives, which did not even agree on the number of active contracts.

The report recommends the adoption and communication of a standard, DOD-wide definition of cloud services, which would be used to compile a central, comprehensive list of services contracted.

The DOD response did not address the first recommendation, and only partially addressed the second, according to the inspector general, who has requested further comment from the DOD CIO Terry Halvorsen by January 27, 2016.

Halvorsen announced a database consolidation project in 2014 which the DoD hoped would eventually save $10 to $20 billion, and could involve adopting a cloud-based solution. As a huge organization with unique IT challenges, the DoD can surely realize major cost savings from the cloud, but effective implementation and tracking are just as important as in any other case. A July study by Cloud Cruiser showed that organizations with advanced cloud adoption tend to highly value cloud usage and cost tracking.