“Our audit work disclosed management oversight concerns regarding the EPA’s use of cloud computing technologies. These concerns highlight the need for the EPA to strengthen its catalog of cloud vendors and processes to manage vendor relationships to ensure compliance with federal security requirements. In
- The EPA did not know when its offices were using cloud computing.
- The EPA should improve the oversight process for prime contractors (to include ensuring subcontractors comply with federal security requirements and establishing service-level agreements for cloud services).
- There is no assurance that the EPA has access to the subcontractor’s cloud environment for audit and investigative purposes.
- The subcontractor is not compliant with the Federal Risk and Authorization Management Program.”