Last month the USPS Inspector General issued a report critical of USPS data backup procedures. The report came in response to an incident earlier this year in which an important security database was lost due to a hardware failure. IT staff had maintained a backup copy of the database, but it was stored on the same hardware as the original- so when the hardware failed, both copies were lost.
Now the OIG reports that the USPS isn’t managing its cloud computing activities properly, and says those failures have cost the USPS over $33 million:
What the OIG Found
The Postal Service’s cloud computing contracts did not comply with all applicable Postal Service’s standards. Specifically, the Postal Service has not defined “cloud computing” and “hosted services,” established an enterprise-wide inventory of cloud computing services, required suppliers and their employees to sign non-disclosure agreements, or included all required information security clauses in its contracts.
In addition, management did not appropriately monitor applications to ensure system availability. Management also did not complete the required security analysis process for three cloud services reviewed and did not follow Postal Service policy requiring cloud service providers to meet federal government guidelines. This occurred because no group is responsible for managing cloud services, and personnel were not aware of all policy and contractual obligations.
Without proper knowledge of and control over applications in the cloud environment, the Postal Service cannot properly secure cloud computing technologies and is at increased risk of unauthorized access and disclosure of sensitive data. We claimed $33,517,151 in contractual costs for the Postal Service not following their policy and contract requirements.
What the OIG Recommended
We recommended management define “cloud computing” and “hosted services,” develop an inventory of cloud services, monitor suppliers and require them to be certified, and revise contracts to include security clauses. We also recommended management evaluate best practices for cloud computing contracts, complete the security analysis process, and ensure compliance with non-disclosure clauses.
USPS OIG reports