The trouble started in 2006, when Chuck Coe, the assistant Inspector general for IT audits and computer crime at the Department of Education, had to issue a subpoena to a subcontractor to get access to IP addresses and diagrams from a subcontractor doing hosting for the agency. The subcontractor challenged Coe in court, out of concern that the investigation might compromise the security of other customers. Coe prevailed; the subcontractor unmingled the Education data from its public cloud and put them in their own environment.
The problem for Coe was that the process, from start to finish, took a year.
"You can rely on the IG Act to get access, but it is far better to have it in the contract language itself," Coe said in an interview with FCW.
This event stuck in Coe's mind as the government launched its cloud-first policy. He was concerned that IGs, general counsel staff and others charged with federal agency oversight could lose access to important information as it migrated into commercial cloud environments.
As chairman of the IT investigations subcommittee of the Council of Inspectors General on Integrity and Ethics, Coe led an effort to develop standard contract language for cloud computing services to go into the Federal Acquisition Regulations. The IGs need access to conduct their reviews of Federal Information System Management Act compliance, and for investigations.
The proposed FAR clause includes guarantees of physical access, documentation and system data for IGs, as well as notification in the event of any security incident that qualifies under the definitions laid out by the National Institute for Standards and Technology. The language would be required in any subcontract arranged by the prime contractor. The proposal is currently stalled at the FAR Council. Industry was not receptive to the request, Coe said.
Commercial cloud providers face a gray area when it comes to federal access to their systems. Vendors are obligated to look after the legal and constitutional rights of cloud tenants whose data is intermingled with that of federal users. Oversight officials, including IGs, say their mandate requires them to have physical access to any data center that has agency data, potentially putting them in a position to access information on non-federal users.
"This is a legal boundary that I don't believe was anticipated until someone actually bumped into it," said Trey Hodgkins, senior vice president at the Information Technology Alliance for Public Sector at the Information Technology Industry Council.
Paper laws for a tech age
A lack of oversight into agency cloud operations can have financial consequences.
At the Department of Veterans Affairs, a $36 million cloud deal was scuttled in 2013 in part due to a running disagreement between CIO Stephen Warren and acting IG Richard Griffin over the retention of email and overall access to cloud systems. The OIG at VA had shared Coe's draft language with the CIO's office when the cloud email project was still on the drawing board, but its provisions were not part of the final request for proposal issued by VA.
IGs who want to guarantee access to cloud environments must make their case internally. "That's the part your IG has to be mindful and aware of when these contracts are being considered, and engage the CIO or the contracting officer," Coe said. "You can do it at the agency level, but if it's in the FAR, a contractor can't argue with it," he said.
The military is trying to move the ball forward on cloud access. Jodi Cramer, a senior attorney at the Judge Advocate General of the Air Force, is leading a parallel effort to modify the Defense Federal Acquisition Regulation. Launched about a year ago, the DFAR modification effort is a piece of the overall Department of Defense-wide strategy to offer commercial cloud services to the military, led by the Defense Information Systems Agency.
We feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us.
This effort is in a pre-decisional stage, and it could be a year before a proposed rule is accepted by the Office of Management and Budget and put out for comment in the Federal Register. Cramer couldn't comment on the exact contract language she is seeking, but the effort tracks closely with a March 2014 update to DISA's cloud security model. Those guidelines specify that DoD agencies and law enforcement be granted physical access to data centers for audit purposes, FISMA compliance and IG investigations, and be permitted to copy or extract data as needed.
The DISA requirements state that cloud vendors "shall segregate the data and afford access to such information in a secure and private space, and without [vendor] presence, if requested." The document specifies additional requirements covering agency users, including compliance with federal records law, and the guarantees that law enforcement and auditing officials will be able to get data from systems without a warrant or subpoena.
Yet adapting Privacy Act and Inspector General Act rules to cover federal participation in the evolving commercial cloud industry is tricky.
"We're trying to fit laws based on paper into a technological age," Cramer said. At the same time, he said, "we feel very strongly that moving our data to a commercial environment brings inherent risks to the government, and we need to ensure that there is certain language in contracts to protect us."
The Council of Inspectors General on Integrity and Ethics is preparing a survey on cloud contracts as part of a process that includes 20 IGs.
The CIGIE study is based on a 2013 survey NASA did of its cloud contracts that found wide variances in the costs and security controls of the space agency's cloud portfolio.
"I think [the CIGIE report] is going to be very eye-opening in terms of how well the federal government is doing in writing cloud contract language,” Coe said. “If the NASA report is any indication, then I think it's going to demonstrate that we have room for improvement." That report is due out later this summer.
Access to cloud environments by law enforcement is not just a federal agency issue.
While most government clouds are required to store data on systems in the continental United States, commercial clients can have data sprawling across the globe. Law enforcement and regulators are being challenged by commercial providers over requests for access to data – even under subpoena or search warrant.
Microsoft is fighting an order from a federal magistrate to turn over emails on a customer that are stored on a data center in Ireland. Microsoft argues that complying with the order "would violate international law and treaties, and reduce the privacy protection of everyone on the planet."
While the case doesn't directly bear on the issue of federal cloud contracts -- feds and contractors have no expectation of privacy while using federal systems -- it is interesting to see the cloud industry close ranks against the government in the wake of the Edward Snowden leaks.
U.S. cloud providers are concerned that surveillance by U.S. intelligence agencies is weakening them in the global market. The Information Technology and Innovation Foundation estimated last year that the Snowden revelations would cost the U.S. cloud industry $35 billion in lost business.
Microsoft's filing reflects this concern, saying that a government victory in this case would "ultimately erode the leadership of U.S. technology companies in the global market."
This article originally appeared in Federal Computer Week and can be found here.