CFPB Report: 2019-IT-C-009 July 17, 2019
The Bureau plans to move to a cloud-only IT infrastructure by 2022, with some of the stated benefits being cost reduction and improvement in service quality. It currently leverages FedRAMP, a governmentwide program offering a risk-based approach to the adoption of contractor-provided cloud services. The Bureau has deployed FedRAMP-approved cloud systems for data storage, certain applications, and other systems to support agency work. We evaluated the Bureau's life cycle process for deploying and managing FedRAMP cloud systems, including whether effective security controls have been implemented.
The Bureau's process is not yet effective in ensuring that (1) risks are comprehensively assessed before deploying new cloud systems, (2) continuous monitoring is performed to identify security control weaknesses after deployment, and (3) electronic media sanitization renders sensitive Bureau data unrecoverable when cloud systems are decommissioned.
Our report contains recommendations.
