The IRS is not providing effective management and oversight of cloud services contracts, according to a report by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA faulted the IRS for not being able to locate all cloud services contracts in a recent audit, The report stated, "After searching for nearly three months, the cloud services contracts for 65 (97 percent) of 67 cloud applications on a Cloud Inventory Report were located, but the contracts for two (3 percent) applications are missing."
Initially, the Office of the Chief Procurement Officer identified and provided the cloud services contracts for only 24 of the 67 cloud applications,
but was unable to identify and provide the contracts for the remaining 43 applications listed in
the Cloud Management Office's November 2022 Cloud Inventory Report. It was only after Strategic Supplier Management and Authorizing Officials joined the search that the 65 contracts were found. The reported stated that "after searching for nearly three months, from January through March 2023, the cloud services
contracts for the remaining two (3 percent) cloud applications were not found."
The chief finding of the audit was that the management and oversight of cloud managed services contracts and the enterprise cloud program are insufficient and need improvements. In particular, TIGTA pointed out that the IRS is not consistently and effectively using the service level agreements. “When service level agreements are inconsistently and ineffectively used, the IRS may be unable to successfully manage risks, ensure that service levels are met, and apply applicable penalties,” the report stated.
The audit also found that that none of the 34 cloud applications that were required to engage the Cloud Front Door process—the Cloud Management Office’s centralized processing function for all applications migrating to the cloud—fully completed the necessary steps, including obtaining Cloud Governance Board approval.
“[R]outinely bypassing the Cloud Front Door process creates confusion and leads to inefficiency for applications migrating to the cloud,” the audit read.
The audit also found that “continuous monitoring security reviews of cloud applications are not documented.”
TIGTA made seven recommendations to the Chief Procurement Officer. They included developing a process to track cloud services contracts and to determine the contract values by cloud application; and consistently incorporating the service level agreements, penalties, and applicable contract clauses into cloud services contracts.
TIGTA also made five recommendations to the Chief Information Officer. They included clarifying in a formal policy that applications migrating to the cloud are required to engage and be processed centrally; ensuring that all applications operating in the cloud have obtained governance board approval; and implementing the new security review guidance for continuous monitoring.
The IRS agreed with all 12 recommendations.
The report stated that the "Chief Procurement Officer plans to develop an identification and tracking process for cloud services contracts that includes product and service descriptions and contract values, and update a checklist indicating whether SLAs and contract clauses are required in cloud services contracts. The Chief Information Officer also plans to implement a new policy requiring all applications migrating to the cloud to follow the centralized process and obtain governance approval, and implement the new security review guidance for continuous monitoring."