As shown in figure 1 above, once a business case has been reviewed and a service provider has been selected as part of the solution phase, the implementation phase begins. This phase includes the development of an SLA with specific clauses and terms unique to each organization. Federal Acquisition Regulation (FAR) section 52.215-2, Audit and Records, requires that contracts for cloud computing include a clause related to granting the OIG access and the right to examine any of the directly pertinent records involving transactions related to the contract. Further, best practices for creating effective cloud computing contracts in the federal government stipulate that penalties for noncompliance with contract and service agreement terms, as well as procedures for e-discovery and forensic investigations, should be outlined in the contract or the SLA between the agency and the CSP.4
We found that the CFPB's contracts for cloud computing services with Amazon.com and Deloitte included specific clauses covering roles and responsibilities, information security requirements, and service-level expectations. We also found that the CFPB has established a process to monitor both contractual and service-level requirements for its CSPs and that the agency collects and maintains nondisclosure agreements from contractor personnel to protect sensitive information. However, as highlighted in table 2, we identified that the contracts and SLAs for both AWS and CAT did not include clauses covering (1) the conduct of forensic investigations for criminal and noncriminal purposes and (2) procedures for e-discovery when conducting a criminal investigation. Additionally, we found that the CAT contract did not include FAR clause 52.215-2 related to granting the OIG access to contractor records or include clauses specifying penalties levied on the CSP for noncompliance with contract or SLAs.
| Contract /SLA clauses | Included in AWS contract or SLA? | Included in CAT contract or SLA? |
|---|---|---|
| FAR 52-203-13—Contractors to fully cooperate by disclosing sufficient information for law enforcement purposes | Yes | Yes |
| FAR 52-239-1—Agency access to the CSP's facilities | Yes | Yes |
| Cloud Best Practices—Allowing the CSP to only make changes to the cloud environment under specific standard operating procedures agreed to by the CSP and the federal agency in the contract | Yes | Yes |
| FAR 52-215-2/Cloud Best Practices—OIG access to the contractor's facilities, installations, operations, documentation, databases, and personnel | Yes | No |
| Cloud Best Practices—Penalties for noncompliance with contract and SLA | Yes | No |
| Cloud Best Practices—Contract includes procedures for agencies to conduct forensic investigations | No | No |
| Cloud Best Practices—Addressing procedures for e-discovery when conducting a criminal investigation | No | No |
Source: OIG analysis of the CFPB's AWS and CAT contracts.
CFPB officials informed us that the guidance used to develop the AWS and CAT contracts and SLAs did not include references to FAR clause 52.215-2 or the best practice clauses that we found to be missing. By ensuing that these clauses are included in cloud computing contracts and SLAs, the CFPB will have greater assurance that it will have timely access to agency information hosted in the cloud and be able to hold CSPs accountable for noncompliance with contract and SLAs.
We recommend that the Chief Information Officer
The Chief Information Officer concurs with recommendation 2 and is undertaking steps to assess the feasibility, as well as cost-benefit and trade-off analyses, for the existing contracts with both Amazon.com and Deloitte and, where appropriate, to execute post-award agreements to help increase assurances that the OIG has timely access to information hosted in these CSPs, and that government interests are protected appropriately.
The Chief Information Officer concurs with recommendation 3. Inclusion of standardized FAR clauses, requirements for information access in support of audit and assessments, and penalties for less-than-compliant contract execution on the part of the CSPs, are all matters that are in scope for the CFPB's ongoing supply chain guidance maturation goals and improvement processes.
The Chief Information Officer concurs with recommendation 4 and plans to develop a more robust repertoire of cloud service acquisition terms and conditions.
In our opinion, the actions described by the Chief Information Officer are responsive to our recommendation. We plan to follow up on the actions to ensure that the recommendation is fully addressed.
