September 23, 2014
Mr. Andrew Patchan, Jr.
Associate Inspector General for Information Technology
Board of Governors of the Federal Reserve System &
Consumer Financial Protection Bureau
20th and C Streets, NW
Washington, DC 20551
Dear Mr. Patchan,
Thank you for the opportunity to review and comment on the Office of Inspector General 's report entitled Audit of the CFPB's Acquisition and Contract Management of Select Cloud Computing Services.
We are pleased that you found that our contracts with Amazon.com and Deloitte included appropriate roles and responsibilities, information security requirements, and service-level expectations. We also appreciate your acknowledgement of the Bureau's efforts in establishing processes to monitor compliance with the contractual requirements as well as the service-level requirements of our CSP contracts.
We have reviewed the report and concur with your recommendations regarding opportunities for improvement in the areas of acquisition and contract management, specifically the manners in which sources of supply, cost analyses, inclusion of electronic discovery and investigatory forensic abilities, as well as records examination rights and noncompliance penalties, are managed in our CSP procurements. These recommendations are consistent with the Bureau's plans to mature our supply chain risk management processes, particularly in concert with the evolving standards and doctrine of the FedRAMP and MST cloud computing endeavors.
Thank you for the professionalism and courtesy that your office demonstrated throughout this review, as well as your acknowledgement of our efforts to be responsive, communicative, and supportive of the audit team throughout the audit. We have provided comments for each recommendation.
Sincerely,
/signed/
Ashwin Vasan
Chief Information Officer
Enclosure
Recommendation 1: Ensure that an alternatives and cost analysis is conducted to inform the selection of cloud computing service providers and models.
Management Response: The Bureau concurs with this recommendation. As noted in the report, the Bureau's current investment review process was not yet in place when the contract with Amazon.com was initially awarded early in the Bureau's history, when we rapidly working to establish an independent IT infrastructure. The acquisition of Compliance Analysis Toolkit (CAT),as cited in the report, did undergo a business case analysis including alternative and cost analysis that lead us to the selection of that tool as provided by Deloitte. Now with the Bureau's Investment review and capital investment planning processes in place, we are working to continue to mature our processes, which will include the appropriate reviews during source selection as well as cost/benefit and trade-off analyses.
Recommendation 2: Assess the costs and benefits of negotiating post award agreements with Amazon.com and Deloitte to include clauses for Inspector General information access, the conduct of forensic investigations and e-discovery, and penalties for noncompliance with contract and SLA terms, as appropriate.
Management Response: The Bureau concurs with this recommendation. Like all Federal agencies executing under the "Cloud First" policy (Federal Cloud Computing Strategy. etc.), the Bureau must contend with the marketplace variables and evolving technologies, and this is no more apparent than in the forensic and ESI (electronically stored information) discovery tools and methods. Simultaneous with that are the contractual terms and conditions that are unique to each CSP in how they accommodate access for audits and reviews as well as compliance enforcement penalties, methods for measurement of compliance, and the remedies that can be afforded the Government in cases where compliance is found lacking. The Bureau is undertaking steps to assess the feasibility, as well as cost/benefit and trade-off analyses, for the existing contracts with both Amazon.com and Deloitte and, where appropriate, execute post-award agreements to help increase assurances that have timely access to information hosted in these CSPs, and that Government interests are protected appropriately.
Recommendation 3: Ensure that the guidance used to develop contracts and SLAs with CSPs references FAR requirements and best practice contract clauses for information access, conduct of forensic investigations and e-discovery, and penalties for noncompliance, as appropriate.
Management Response: The Bureau concurs with this recommendation. The Bureau monitors issuances from NIST and the Federal CIO Council-s FedRAMP organizations, and has noted that guidance is continuing to emerge regarding these topics. Just in September of this year, the FedRAMP program was closing the public comment period on CSP procurement topics like Incident Response and Vulnerability Scanning, in support of their issuing further requirement guidance in the future. In June of this year, the FedRAMP program issued version 2.0 of the FedRAMP Control Specific Contract Clauses, which contains further elaboration and refinement of procurement requirements for topics like Incident Response and invocation of NIST issuances on forensics and other technical specialties. Simultaneous with that, we have observed as the marketplace continues to develop and introduce product offerings related to e-discovery and cloud ESI retrieval in support of litigation, law enforcement, and other mandates. These drivers, along with inclusion of standardized FAR clauses, requirements for information access in support of audit and assessments, and penalties for less than compliant contract execution on the part of the CSPs, are all matters that are in-scope for the Bureau's ongoing supply chain guidance maturation goals and improvement processes. Recommendation #3 supports the Bureau's objective of improving CSP procurement and execution as both the Bureau and the cloud marketplace continue to evolve.
Recommendation 4: Ensure that future CFPB contracts for cloud computing services include FAR requirements and best practice clauses for information access, the conduct of forensic investigations and e-discovery, and penalties for noncompliance with contract and SLA terms, as appropriate.
Management Response: The Bureau concurs with this recommendation. Recommendation #4 aligns precisely with our efforts related to Recommendation #3 and our plans to develop a more robust repertoire of cloud service acquisition terms and conditions. As we continue to refine CSP procurement guidance, we will leverage these improved acquisition standards in our procurements of cloud-based offerings. These will specifically address inclusion of appropriate FAR clauses, the ability to execute forensic collection and e-discovery with minimal risk of spoliation of evidentiary and legal information, the ability to access Government information in a timely manner in support of audit and assessment requirements, and appropriate penalties for anything less than compliant execution on the part of our CSP providers, including methods to assess compliance.