

The NASA CIO said its office has issued policy memorandums and related guidance requiring personnel to utilize only cloud computing services approved by the Agency and has made the cloud services registry of approved cloud services available via an internal NASA website. With NASA’s increasing use of the cloud, it is imperative the Agency strengthen its risk management and governance practices to safeguard its data. However, much of the Agency’s cloud computing activity occurs outside of these FedRAMP-approved services. The OIG stated that since 2013 NASA has established three Federal Risk and Authorization Management Program (FedRAMP)-approved cloud computing services for Agency use and has moved approximately 1.2% of its data into these environments.

“In contrast to the traditional data center model that requires a significant initial investment in IT hardware and infrastructure, cloud computing allows NASA scientists and engineers to use only the resources needed to complete a particular project or function,” the OIG stated. NASA uses cloud computing to address many important functions, including large-scale computational services to support science programs and storage of large data sets associated with high-resolution mapping of planetary surfaces, as well as for more routine services like website hosting and document storage, the OIG report stated. Indeed, in some cases, cloud storage services are free. In the NASA situation, the OIG noted that using a government purchase card and web browser, employees can easily purchase low-cost subscription licenses to cloud computing services and easily obtain applications that allow them to transmit, process, and store large amounts of data without the CIO’s or Chief Information Security Officer’s involvement or awareness. In fact, Gartner predicts that through 2017, 38% of technology purchases will be managed, defined and controlled by business leaders.”

As digital business evolves, the IT department will make fewer technology decisions, and individual business units will begin selecting technology for their teams. Gartner recently wrote that: “One thing has become clear in the past few years, shadow IT is here to stay. Such shadow IT operations are one major challenge facing federal, public and private entities in the interconnected world. Similarly, Huddle, another unapproved service that facilitates collaboration among team members, allows files to be shared easily across devices, locations, and teams outside of NASA’s firewall, and therefore could result in the same type of unauthorized access,” the OIG stated. This capability could allow sensitive data to be accessed by unauthorized individuals. For example, one service we discovered –TeamViewer –provides the capability for “automatic discovery” of nearby contacts and devices to make collaboration and interaction easier, as well as “file transfer” that allows users to share files of any size using convenient methods such as file manager, contextual menus, drag and drop, and a file box that can link to cloud storage providers. In the report the OIG stated: “The utilization of cloud services without NASA approval or awareness places Agency data stored there at unnecessary risk.
