Report 16-16: Weakness Identified During SBA’s Office 365 Cloud Email
About this document and download
On Tuesday, June 7, 2016, the Office of Inspector General issued Audit Report 16-16, Weakness Identified During SBA’s Office 365 Cloud Email. In order to meet Office of Management and Budget (OMB) guidance, the Small Business Administration (SBA) started the Office 365 cloud email migration project, which will move its email system off of the on-premises SBA email servers to Office 365’s cloud-based system. Our audit objective was to determine whether SBA’s email cloud migration to Office 365 followed applicable Federal guidance and standards, such as those outlined in FedRAMP. We identified multiple risk areas during the migration. First, our office found that the Capstone working group has not taken preliminary steps to develop an archive policy or establish testing plans to ensure the Office 365 cloud email migration meets Capstone requirements. Additionally, because the project has faced significant delays, the Office of the Chief Information Officer should evaluate whether to continue, modify, or terminate the cloud email project. We also determined that SBA has not reported the project’s status accurately and timely. Due to a lack of planning and oversight, the Agency has exceeded anticipated timelines without deploying a system that meets OMB deadlines and guidance.
The Office of the Chief Information officer generally agreed with the memorandum results and five recommendations. However, we noted that management’s response to Recommendation 5 only addressed the status of the Office 365 cloud email migration, rather than reporting the controls for all SBA IT investments on the Federal IT dashboard.