The Office of the Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC), in an audit report released on July 25, found that the agency’s current governance and strategy controls of its cloud computing transition lack in several vital areas, posing cybersecurity risks.
The report found that the agency “did not adhere to several cloud-related practices recommended by the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), and FDIC guidance,” states the audit.
The audit found that the FDIC “did not have an inventory of all data assets residing in its cloud environments or a fully developed data catalog,” such as not having an organized inventory of its cloud assets.
In addition, the audit found that the agency “did not establish an exit strategy as part of its cloud strategy planning to address issues… if the FDIC needed to terminate a contract with a cloud service provider.” It also found that the agency has not developed “disposal strategies or decommission plans for legacy systems.”
The audit also states that the FDIC “did not develop Contract Management Plans (CMP) for all 17 contract actions for cloud services valued at over $546 million.”
Although the report did stipulate that overall “the FDIC has [an] effective strategy and governance processes to manage its cloud computing services,” the OIG said the agency still needs to work on those key areas.
The audit concludes by giving nine different recommendations to cover vital areas in the FDIC’s cloud strategy:
- The FDIC must develop and maintain an inventory and catalog of all FDIC data used throughout the cloud data lifecycle;
- Establish and implement data governance requirements;
- Create and establish an exit strategy for all cloud-based systems;
- Develop and implement Contract Management Plans for all contract actions, including contracts, basic ordering agreements, and related task orders, as required by FDIC policy;
- Provide additional training to Contracting Officers and Oversight Managers to emphasize the requirement to develop Contract Management Plans;
- Develop and implement policies and procedures to regularly review contract actions to confirm Contract Management Plans are put in place;
- Update the Project Management Lifecycle and System Development Life Cycle frameworks to include a Disposal phase and process;
- Develop and implement policies and procedures for overseeing the decommissioning of legacy systems; and
- Review all current and planned system replacements and ensure legacy system decommissioning plans are created in accordance with FDIC policies and procedures.
“As the FDIC is migrating its mission essential and mission critical systems and applications into the cloud, an effective strategy must be in place to ensure there is alignment between cloud adoption and the FDIC’s performance goals for increasing operational efficiencies and optimizing costs,” the audit says.