Despite NASA being an early pioneer in the field of cloud computing, the agency’s cloud-based systems and data could be at risk due to weaknesses in its IT oversight, according to the agency’s Inspector General (IG).

NASA uses cloud computing for large-scale computational services, storage of high-resolution planetary imaging data sets and more routine services such as website hosting and document storage, according to the IG. In 2009 the agency established its own private cloud computing data center, called Nebula, at Ames Research Center in California, but in 2012 the program was shut down after NASA concluded that public clouds had become cheaper, more reliable and more capable.

The IG found cloud-computing oversight by NASA’s Office of the Chief Information Officer (OCIO) to be lacking. “We found that the agency OCIO was not aware of all the cloud services NASA organizations had acquired or which service providers they used,” the report says. “In addition, only 3 of 15 Center and Mission Directorate Chief Information Officers we surveyed stated that coordination with the agency OCIO was necessary before moving NASA systems and data to public clouds.”

The IG reviewed five NASA contracts for cloud-computing services, and found that none met recommended best practices for ensuring data security. In four out of five cases, NASA accepted the provider’s standard contract, which did not include performance metrics or address federal government privacy, IT security or record-management requirements. The fifth contract also failed to include best practices for ensuring contractor performance and safeguarding data security, with the result that “the NASA systems and data covered by these five contracts are at an increased risk of compromise.”

At the time of the IG’s review, NASA spent less than 1% (roughly $10 million) of its $1.5 billion annual IT budget on cloud computing. The agency projects that 75% of its new IT programs could begin in the cloud within five years, and nearly all of its public data could be moved into cloud storage.

“While the adoption of cloud-computing technologies at NASA has the potential to improve IT service delivery, enhance collaboration, and reduce costs associated with managing the Agency’s diverse portfolio of IT assets, fully realizing these benefits will require strengthening the Agency’s IT governance and risk management practices,” the IG says.

The report recommends that the OCIO establish a cloud-computing program management office to coordinate, standardize and oversee NASA’s acquisition and deployment of cloud computing services. NASA agreed with the IG’s recommendations and proposed corrective actions, with the caveat that their implementation will be “subject to the availability of funds.”