Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2014-IT-C-016 September 30, 2014

Audit of the CFPB’s Acquisition and Contract Management of Select Cloud Computing Services

available formats

Finding 2: Specific Clauses for Information Access and Penalties for Noncompliance Were Not Included in CSP Contracts and SLAs

As shown in figure 1 above, once a business case has been reviewed and a service provider has been selected as part of the solution phase, the implementation phase begins. This phase includes the development of an SLA with specific clauses and terms unique to each organization. Federal Acquisition Regulation (FAR) section 52.215-2, Audit and Records, requires that contracts for cloud computing include a clause related to granting the OIG access and the right to examine any of the directly pertinent records involving transactions related to the contract. Further, best practices for creating effective cloud computing contracts in the federal government stipulate that penalties for noncompliance with contract and service agreement terms, as well as procedures for e-discovery and forensic investigations, should be outlined in the contract or the SLA between the agency and the CSP.4

We found that the CFPB's contracts for cloud computing services with Amazon.com and Deloitte included specific clauses covering roles and responsibilities, information security requirements, and service-level expectations. We also found that the CFPB has established a process to monitor both contractual and service-level requirements for its CSPs and that the agency collects and maintains nondisclosure agreements from contractor personnel to protect sensitive information. However, as highlighted in table 2, we identified that the contracts and SLAs for both AWS and CAT did not include clauses covering (1) the conduct of forensic investigations for criminal and noncriminal purposes and (2) procedures for e-discovery when conducting a criminal investigation. Additionally, we found that the CAT contract did not include FAR clause 52.215-2 related to granting the OIG access to contractor records or include clauses specifying penalties levied on the CSP for noncompliance with contract or SLAs.

Table 2: Select Best Practice Contract and SLA Clauses for AWS and CAT
Contract /SLA clauses Included in AWS contract or SLA? Included in CAT contract or SLA?
FAR 52-203-13—Contractors to fully cooperate by disclosing sufficient information for law enforcement purposes Yes Yes
FAR 52-239-1—Agency access to the CSP's facilities Yes Yes
Cloud Best Practices—Allowing the CSP to only make changes to the cloud environment under specific standard operating procedures agreed to by the CSP and the federal agency in the contract Yes Yes
FAR 52-215-2/Cloud Best Practices—OIG access to the contractor's facilities, installations, operations, documentation, databases, and personnel Yes No
Cloud Best Practices—Penalties for noncompliance with contract and SLA Yes No
Cloud Best Practices—Contract includes procedures for agencies to conduct forensic investigations No No
Cloud Best Practices—Addressing procedures for e-discovery when conducting a criminal investigation No No

Source: OIG analysis of the CFPB's AWS and CAT contracts.

CFPB officials informed us that the guidance used to develop the AWS and CAT contracts and SLAs did not include references to FAR clause 52.215-2 or the best practice clauses that we found to be missing. By ensuing that these clauses are included in cloud computing contracts and SLAs, the CFPB will have greater assurance that it will have timely access to agency information hosted in the cloud and be able to hold CSPs accountable for noncompliance with contract and SLAs.

Recommendations

We recommend that the Chief Information Officer

  1. Assess the costs and benefits of negotiating post-award agreements with Amazon.com and Deloitte to include clauses for Inspector General information access, the conduct of forensic investigations and e-discovery, and penalties for noncompliance with contract and SLA terms, as appropriate.
  2. Ensure that the guidance used to develop contracts and SLAs with CSPs references FAR requirements and best practice contract clauses for information access, conduct of forensic investigations and e-discovery, and penalties for noncompliance, as appropriate.
  3. Ensure that future CFPB contracts for cloud computing services include FAR requirements and best practice clauses for information access, the conduct of forensic investigations and e-discovery, and the assessment of penalties for noncompliance with contract and SLA terms.

Management's Response

The Chief Information Officer concurs with recommendation 2 and is undertaking steps to assess the feasibility, as well as cost-benefit and trade-off analyses, for the existing contracts with both Amazon.com and Deloitte and, where appropriate, to execute post-award agreements to help increase assurances that the OIG has timely access to information hosted in these CSPs, and that government interests are protected appropriately.

The Chief Information Officer concurs with recommendation 3. Inclusion of standardized FAR clauses, requirements for information access in support of audit and assessments, and penalties for less-than-compliant contract execution on the part of the CSPs, are all matters that are in scope for the CFPB's ongoing supply chain guidance maturation goals and improvement processes.

The Chief Information Officer concurs with recommendation 4 and plans to develop a more robust repertoire of cloud service acquisition terms and conditions.

OIG Comment

In our opinion, the actions described by the Chief Information Officer are responsive to our recommendation. We plan to follow up on the actions to ensure that the recommendation is fully addressed.