IN THIS SECTION
Finding 1: The CFPB's Business Case for AWS Did Not Include an Alternatives and Cost Analysis
As part of planning to acquire cloud services, NIST Special Publication 800-146 states that agencies should develop a business case that considers the readiness of existing applications for cloud deployment, transition and life cycle costs, and security and privacy requirements. In addition, NIST Special Publication 800-35 details an IT security services life cycle that provides a framework for use in selecting, implementing, and managing IT security services, including cloud computing services. Figure 1 details NIST's IT security services life cycle. The solution phase involves the development of a business case in order to identify the best solution to produce the desired future state. Specifically, the business case should include consideration of viable alternatives, formation of cost estimates, and completion of an organizational risk analysis. In accordance with this life cycle approach, the CFPB is in the process of strengthening its IT capital planning program to guide the selection, evaluation, and control of its IT investments. As part of this program, the CFPB has created an Investment Review Board designed to review the agency's business cases for IT investment decisions.
Figure 1: IT Security Services Life Cycle
Source: NIST SP 800-35, Guide to Information Technology Security Services
We found that although a business case analysis was completed to guide the CFPB's acquisition of CAT, the alternatives and cost savings analysis part of the business case analysis for the AWS cloud computing environment was not completed. An alternatives and cost savings analysis was not completed for the AWS contract because the CFPB's current investment review process was not in place when that contract was initially awarded. In addition, CFPB officials informed us that at the time the AWS contract was awarded, the agency had recently been established as an independent agency and it had to rapidly establish its IT infrastructure to support its needs. As such, the agency utilized an existing Treasury contract with Amazon.com without performing its own alternatives and cost savings analysis.
The Chief Information Officer stated that as the CFPB continues to transition its IT infrastructure from Treasury, the agency will be evaluating various models, including cloud computing and in-house approaches, to hosting its infrastructure. Completion of a business case for proposed approaches that includes viable alternatives and cost considerations will provide key information to assist CFPB officials in selecting an IT infrastructure solution that best meets the needs of the agency in a cost-effective manner.
Recommendation
We recommend that the Chief Information Officer
- Ensure that an alternatives and cost analysis is conducted to inform the selection of cloud computing service providers and models.
Management's Response
The Chief Information Officer concurs with this recommendation and is working to continue to mature the agency's processes, to include conducting the appropriate reviews during source selection as well as cost-benefit and trade-off analyses.
OIG Comment
In our opinion, the actions described by the Chief Information Officer are responsive to our recommendation. We plan to follow up on the actions to ensure that the recommendation is fully addressed.
