The oversight of its cloud infrastructure by the IRS was criticized by the Treasury Inspector General for Tax Administration, particularly in relation to vendor contracts.
A very difficult time finding the relevant contracts in the first place was highlighted in a
They then approached the IRS’s Cloud Management Office, responsible for migrating projects to the cloud. CMO management stated that they were unable to provide any of the cloud services contracts because they do not provide oversight of them.
Following this, they contacted the IRS Strategic Supplier Management, whose aim is to support the IRS’s strategic management of information technology acquisitions and minimize risk in the acquisition process. They managed to provide the cloud services contracts for an additional 32 cloud applications. Finally, TIGTA asked that the cloud application Authorizing Officials, listed on the CIR, identify and provide the cloud services contracts, and they provided the contracts for another nine applications.
Two were left unfound. As of the release of this inspection report, they are still unfound.
The IRS was faulted by TIGTA for how it organizes its cloud service contracts. A significant issue is that the OCPO does not have a process to track cloud services contracts, and contracting officers did not always store cloud services contracts in the Folders Management module as required. OCPO management also did not offer guidance or training to contracting officers to support uniformity when processing cloud service contracts, despite regulations mandating them to do so.
“Rather, they rely on the contracting officers to obtain this knowledge through guidance from other experienced contracting officers or professional training certifications. As a result, the OCPO must make various and time-consuming queries of the Procurement System to identify the cloud services contracts,” said TIGTA.
TIGTA also noted that even among the contracts they could identify, the IRS could not determine the value for 45% of them. Cloud services contracts, including contract modifications, may include the purchase of other information technology services and products. The IRS does not have a process to track detailed contract data, specific contract values and obligations associated with each cloud application are not readily identified and determined, said TIGTA.
The process of contracting itself was also criticized by the inspectors. All contracts are supposed to have service-level agreements (SLAs) that define the level of performance expected from a service provider, how that performance will be measured, and what enforcement mechanisms will be used to ensure that specified service levels are achieved. TIGTA noted that the IRS followed proper SLA procedure when it came to cybersecurity, though other areas were much less consistent:
- Two cloud services contracts included nine SLAs, each with an associated penalty.
- One cloud services contract did not include any SLAs or associated penalties.
- One cloud services contract included an SLA that required the cloud application provide “high availability,” defined as having operations available 24 hours a day and seven days a week (99.9 percent of the time). However, the SLA did not specify any performance reporting or monitoring frequency, and there were no associated penalties for not meeting the service level.
- One cloud services contract included seven SLAs, each with an associated penalty for not meeting the service level. One service level was not met in September 2022 and the IRS assessed a penalty. The penalty for not meeting the service level was equal to 3 percent of the monthly cost for the web hosting service, calculated to be $1,017. However, as of May 2023, the IRS had not yet collected the penalty.
“OCPO management stated that instead of including specific SLAs, they default to their ability to post negative comments about the contractor in the Contractor Performance Assessment Reporting System following each contract period of performance or to terminate the contract entirely for severe deficiencies,” said the report.
TIGTA also said the IRS, despite requirements to do so, did not pass contracts through the Cloud Front Door (CFD) process. The CFD process serves as the IRS’s “on-ramp” to the cloud and is the CMO’s centralized processing function for all applications migrating to the cloud. The CMO also manages the Enterprise Cloud Program, a cross-functional program responsible for establishing enterprise-wide cloud capabilities, building the IRS’s multicloud system, and providing services to cloud-based projects.
Because the IRS does not centrally manage cloud contracts, the CFD process was routinely bypassed, which could carry cybersecurity implications. Furthermore, due to this lack of centralized management, the IRS is unable to provide an accurate inventory of cloud applications. The IRS announced in August that the CMO was officially phased out and would be transitioning to the Enterprise Cloud Architecture and Design office to better align with the IRS’s enterprise goals and modernization efforts.
The report also said the IRS was not following the documentation requirements of the FedRAMP program, which mandates continuous cybersecurity monitoring for applications.
TIGTA recommended that the IRS:
* Develop a process to track cloud services contracts and to determine the contract values by cloud application;
* Consistently incorporate the SLAs, penalties, and applicable contract clauses into cloud services contracts;
* Clarify in a formal policy that applications migrating to the cloud are required to engage and be processed centrally;
* Ensure that all applications operating in the cloud have obtained governance board approval; and
* Implement the new security review guidance for continuous monitoring.
The IRS agreed with all recommendations.