IG reveals missteps in GSA's cloud migration

Some sensitive personnel and operational documents were exposed as the General Services Administration moved to the cloud a few years ago, according to a report just released by the agency's Inspector General.

The sensitive employee and government agency information that was left exposed were on the agency's Google Groups, Sites and Docs collaborative tools, according to the a series of reports from the IG, which notified GSA officials at the time.

The GSA IG publicly released the reports on Jan. 27, 2017, but the reports themselves were from the 2014-2015 time period.

GSA began moving to the cloud in 2011, a year after it awarded its cloud computing contract to Google to host its agencywide email system and collaboration services.

The agency left unprotected sensitive information in its cloud computing environment during that time frame, according to the agency watchdog. The IG said it didn't make the reports public at the time out of vulnerability concerns. The problems, it said in release, have since been solved.

For example, there was unsecured personally identifiable information including Social Security numbers in a GSA Google Group, according to Patricia Sheehan, director of GSA IG's Office of Forensic Auditing, Evaluation and Analysis. In a memo, Sheehan said that employee information and proprietary contractor data were accessible to users.

The IG also found that sensitive documents such as a draft National Security Staff Cyber Response Group Protocol, used for White House situational awareness of cyber threats affecting national security, national economic security or national public health and safety, could be accessed.

The IG said on July 29, 2014, the GSA incident response team isolated the GSA Google Group identified by the OIG and took corrective action immediately to set security permissions for authorized users only. The agency proceeded to submit a timely US-CERT incident report on the matter, it said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


Charter Sponsors