Abstract
Despite the many advantages of cloud computing, moving IT services outside of an organization’s physical boundaries means lost or reduced control over data and greater reliance on third parties. Risks associated with this loss of control are problematic for governments particularly as they relate to data privacy and data security. Given their position of public trust and responsibility for citizen data, governments occupy a complex role when using cloud services. The assumption that governments are able to effectively negotiate contracts with Cloud Service Providers (CSPs), and meet legal and organizational requirements, is widely championed. But is purchasing power enough? As the U.S. federal government is poised to be one of the largest purchasers and consumers of cloud services, these questions are pertinent for the U.S. government in addition to governments across the globe considering similar moves. The Article examines the adoption of cloud computing by the U.S. federal government and evaluates whether the U.S. cloud computing risk management program (FedRAMP) provides adequate tools to manage the risks associated with cloud computing. In evaluating FedRAMP, the Article examines legal requirements applicable to the federal government’s use of cloud computing and assesses how legal requirements are reflected in the FedRAMP program. The Article further evaluates cloud procurement by federal agencies and considers whether the contracts that agencies have entered into with CSPs are consistent with FedRAMP and other legal mandates. The primary sources for this evaluation are agency audit reports and agency cloud computing contracts obtained through Freedom of Information Act (FOIA) requests. The Article places particular focus on missing contract terms or terms that are in conflict with either the requirements of the FedRAMP program or U.S. federal law. The legal focus of the Article is primarily contract and data privacy law.