In January 2014, the Council of the Inspectors General on Integrity and Efficiency (CIGIE)1 initiated a government-wide review of select agencies' efforts to adopt cloud computing technologies. The initiative focused on reviewing cloud computing contracts for inclusion of specific clauses and the agencies' efforts to monitor the performance of cloud service providers (CSPs). In support of the CIGIE initiative, our objective was to review the Consumer Financial Protection Bureau's (CFPB) acquisition and contract management for Amazon.com's Amazon Web Services (AWS) and Deloitte's Compliance Analysis Toolkit (CAT) to determine whether requirements for security, service levels, and access to records were appropriately planned for, defined in contracts, and being monitored. We provided CIGIE with responses to a questionnaire it issued to the select agencies' OIGs under a separate cover. Appendix A provides our scope and methodology.
The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST classifies cloud computing capabilities into the following three models:
Cloud computing offers federal agencies the potential for cost savings through faster deployment of computing resources, a decreased need to buy hardware or build data centers, and enhanced collaboration capabilities. Recognizing these benefits, the Office of Management and Budget issued a Cloud First policy in December 2010, requiring federal agencies to evaluate safe, secure cloud computing options before making new investments in information technology (IT).
When it began operations in July 2011, the CFPB relied on the U.S. Department of the Treasury (Treasury) for IT systems and services. As the agency transitions IT systems and services from Treasury, it has increasingly embraced cloud computing as a model to meet its IT needs in a flexible, scalable manner. Specifically, the CFPB has contracted with seven CSPs, including Amazon.com and Deloitte. Amazon.com hosts the CFPB's public website and provides infrastructure for the agency's software development efforts through AWS. Deloitte provides the agency's CAT, which is an application that allows financial companies that are supervised by the CFPB to upload loan file data for analysis by the agency's examiners. As highlighted in table 1, the CFPB also uses cloud computing solutions for automated litigation support and for contact center services. As of June 2014, the CFPB's cloud computing contracts were valued at approximately $185 million.
| CSP | Cloud service description | Type of cloud service | Total contract value | Contract initiation date | Contract length |
|---|---|---|---|---|---|
| General Dynamics | Contact center support and services | SaaS | $131,000,000 | 06/08/2011 | 5 years |
| Deloitte | CAT, analytical services, and support | SaaS | $25,000,000 | 05/29/2012 | 5 years |
| Treasury | IT shared services | PaaS | $9,674,580 | 10/01/2013 | 1 year |
| Treasury | Financial management services | PaaS | $7,075,604 | 10/01/2013 | 1 year |
| Verizon Terremark | Data storage/colocation | IaaS | $4,200,000 | 01/05/2011a | 8 months |
| Amazon.com | Web hosting | IaaS | $4,200,000 | 01/05/2011a | 8 months |
| U.S. Department of Justice | Automated litigation support | SaaS | $3,997,840 | 05/12/2012 | 5 years |
Source: Information taken from the CFPB's responses to the CIGIE cloud computing survey.
a The CFPB initially contracted with Verizon Terremark and Amazon.com for cloud services on January 5, 2011. The contract values and lengths reflected in the table are for the most recent contract extensions the CFPB signed with these two companies on January 1, 2014.
Compared to traditional IT contracts, procuring cloud computing services presents agencies with unique and differing risks to manage. For instance, CSPs may store data across multiple facilities across the world. Thus, federal agencies must carefully consider who may have access to data and under what circumstances. To ensure that federal agencies are procuring cloud services in accordance with existing regulations and laws, the Chief Information Officers Council and the Chief Acquisition Officers Council issued guidance on February 24, 2012, for creating effective cloud computing contracts for the federal government.3 This guidance highlights the importance of clearly defining in contracts roles and responsibilities between the CSP and the agency, particularly with respect to information access. The guidance also recommends that agencies establish service-level expectations and monitor CSP compliance, ensure control of federal data through completion of nondisclosure agreements, and include clauses in contracts or agreements outlining procedures for conducting forensic investigations and electronic discovery (e-discovery).
Guidance issued by NIST on cloud computing and procurement of IT services also provides best practices that agencies may consider when acquiring cloud services. For instance, NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012, notes that an agency should develop a business case for moving to the cloud that considers the readiness of existing applications for cloud deployment, transition and life cycle costs, and security and privacy requirements. Further, NIST Special Publication 800-35, Guide to Information Technology Security Services, October 2002, presents factors for agencies to consider when selecting, implementing, and managing IT security services and providers. These factors can also apply to the procurement of cloud services and include consideration of viable alternatives, development of cost estimates, and formalization of service-level agreements (SLAs) with specific clauses and terms unique to each organization.
