In January 2014, CIGIE initiated a government-wide review of select agencies' efforts to adopt cloud computing technologies. The initiative focused on reviewing cloud computing contracts for inclusion of specific clauses and the agencies' efforts to monitor the performance of CSPs. In support of the CIGIE initiative, our objective was to review the CFPB's acquisition and contract management for AWS and CAT to determine whether requirements for security, service levels, and access to records were appropriately planned for, defined in contracts, and being monitored.
To accomplish our audit objective, we developed an inventory of cloud computing–based systems by surveying CFPB officials responsible for the procurement, maintenance, and monitoring of the agency's cloud contracts. To perform our assessment, we judgmentally selected the AWS and CAT cloud computing–based systems based on their respective service models, contract lengths, total contract values, and associated risk categorizations. To perform our review, we analyzed the AWS and CAT contracts, SLAs, and security documentation. Further, we interviewed managers and staff at the CFPB, as well as contracting officers at Treasury who were responsible for the development of the AWS and CAT contracts.
We performed our fieldwork from February 2014 through June 2014. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.