Targeted Review of the Bureau of Diplomatic Technology’s Cloud Services Program Management

ISP-I-24-21
    Report Contents
    Unclassified
    Unclassified

    Summary of Review 

    OIG reviewed the Bureau of Information Resource Management’s (IRM)1 enterprise cloud computing services program management. The two primary enterprise cloud service providers in IRM are the Cloud Program Management Office (CPMO) and the Systems Integration Office (SIO). Together, the two offices offer seven enterprise-level2 (or enterprise) cloud services to help Department of State (Department) bureaus and offices efficiently and securely transition their systems and applications from on-premises data centers to modernized cloud environments, in accordance with IRM’s stated goal of enabling modernization. Due to the self-service capabilities inherent in cloud computing environments and the ability to rapidly provision and release cloud resources with minimal management involvement, there are cost, configuration, and security control risks unique to cloud computing that organizations managing these environments must address. Through this review, OIG sought to determine whether (1) enterprise-level cloud systems complied with federal and Department security requirements; (2) CPMO and SIO implemented required product management and customer engagement processes and procedures; (3) IRM established internal controls to govern the use of enterprise cloud systems in the Department; and (4) enterprise cloud systems complied with federal and Department contracting and procurement requirements.  

    OIG found IRM’s cloud computing policies and guidelines have not kept pace with the quickly evolving cloud computing landscape and the rollout of enterprise cloud services in the Department. OIG’s review determined IRM established processes and procedures to meet most federal and Department security requirements and to monitor and control costs associated with the enterprise cloud services. However, the policies and guidelines IRM established to govern the procurement, implementation, configuration, and use of cloud services in the Department were outdated and obsolete. Additionally, OIG found the customer engagement processes IRM used to promote awareness of the enterprise cloud services required improvement.  

    This review includes 11 recommendations to improve IRM’s cloud services program management. In its comments on the draft review, the bureau concurred with all 11 recommendations. OIG considers all 11 recommendations resolved. The bureau’s response to each recommendation and OIG’s reply can be found in the Recommendations section of this review. The bureau’s formal written response is reprinted in its entirety in Appendix B.   

     

    1 In May 2024, after OIG issued the draft targeted review, the Department changed the name of the bureau to the Bureau of Diplomatic Technology (DT). Throughout this targeted review, except for the report title and recommendations, the bureau is still referred to as IRM. 

    2 An enterprise-level service is defined as a solution designed to integrate multiple facets of an organization’s business.

    Category
    Locations
    Themes/Topics
    Recommendation Number
    1
    Open Resolved

    The Bureau of Diplomatic Technology should update the Foreign Affairs Manual and Foreign Affairs Handbook to define its organizational structure and assign the associated cloud-related responsibilities to the responsible offices in its organizational structure.

    Recommendation Number
    2
    Open Resolved

    The Bureau of Diplomatic Technology should update its cloud computing policies in accordance with Department standards.

    Recommendation Number
    3
    Open Resolved

    The Bureau of Diplomatic Technology should update its cloud service procurement policies and guidelines and communicate the changes to the Department.

    Recommendation Number
    4
    Open Resolved

    The Bureau of Diplomatic Technology should review Department configuration management policies for inconsistencies and update them to align with federal cloud policies.

    Recommendation Number
    5
    Open Resolved

    The Bureau of Diplomatic Technology, in coordination with the Bureau of Diplomatic Security, should follow Department standards for cloud security guidelines.

    Recommendation Number
    6
    Open Resolved

    The Bureau of Diplomatic Technology should comply with Department encryption key management requirements for enterprise cloud systems.

    Recommendation Number
    7
    Open Resolved

    The Bureau of Diplomatic Technology should implement a communication plan for its domestic and overseas customers to include details on cloud responsibilities and available cloud products and services.

    Recommendation Number
    8
    Open Resolved

    The Bureau of Diplomatic Technology should implement a formal process for gathering regular customer feedback on its cloud products and services.

    Recommendation Number
    9
    Open Resolved

    The Bureau of Diplomatic Technology, in coordination with the Bureau of Administration, should bring its enterprise-level cloud services contract and contracting officer's representative files into compliance with Department and federal requirements.

    Recommendation Number
    10
    Open Resolved

    The Bureau of Diplomatic Technology should bring the enterprise-level cloud services contracting officer's representative program into compliance with Department standards.

    Recommendation Number
    11
    Open Resolved

    The Bureau of Diplomatic Technology, in coordination with the Bureau of Administration, should develop and communicate guidance specifying what cloud services procurement requirements staff need to implement, which staff are responsible for implementing them, and how the requirements should be implemented.