Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2014-IT-C-016 September 30, 2014

Audit of the CFPBs Acquisition and Contract Management of Select Cloud Computing Services

available formats

Introduction

Objectives

In January 2014, the Council of the Inspectors General on Integrity and Efficiency (CIGIE)1 initiated a government-wide review of select agencies' efforts to adopt cloud computing technologies. The initiative focused on reviewing cloud computing contracts for inclusion of specific clauses and the agencies' efforts to monitor the performance of cloud service providers (CSPs). In support of the CIGIE initiative, our objective was to review the Consumer Financial Protection Bureau's (CFPB) acquisition and contract management for Amazon.com's Amazon Web Services (AWS) and Deloitte's Compliance Analysis Toolkit (CAT) to determine whether requirements for security, service levels, and access to records were appropriately planned for, defined in contracts, and being monitored. We provided CIGIE with responses to a questionnaire it issued to the select agencies' OIGs under a separate cover. Appendix A provides our scope and methodology.

Background

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST classifies cloud computing capabilities into the following three models:

  1. Software as a service (SaaS) provides the capability to use the CSP's applications running on a cloud infrastructure.
  2. Platform as a service (PaaS) refers to the capability to deploy consumer-created or -acquired applications that are developed using programming languages and tools supported by the CSP onto the cloud infrastructure.
  3. Infrastructure as a service (IaaS) enables provisioning of processing, storage, networks, and other computing resources where the consumer is able to deploy, run, and control software applications.2

Cloud computing offers federal agencies the potential for cost savings through faster deployment of computing resources, a decreased need to buy hardware or build data centers, and enhanced collaboration capabilities. Recognizing these benefits, the Office of Management and Budget issued a Cloud First policy in December 2010, requiring federal agencies to evaluate safe, secure cloud computing options before making new investments in information technology (IT).

When it began operations in July 2011, the CFPB relied on the U.S. Department of the Treasury (Treasury) for IT systems and services. As the agency transitions IT systems and services from Treasury, it has increasingly embraced cloud computing as a model to meet its IT needs in a flexible, scalable manner. Specifically, the CFPB has contracted with seven CSPs, including Amazon.com and Deloitte. Amazon.com hosts the CFPB's public website and provides infrastructure for the agency's software development efforts through AWS. Deloitte provides the agency's CAT, which is an application that allows financial companies that are supervised by the CFPB to upload loan file data for analysis by the agency's examiners. As highlighted in table 1, the CFPB also uses cloud computing solutions for automated litigation support and for contact center services. As of June 2014, the CFPB's cloud computing contracts were valued at approximately $185 million.

Table 1: Summary of Cloud Computing Technologies Used by the CFPB
CSP Cloud service description Type of cloud service Total contract value Contract initiation date Contract length
General Dynamics Contact center support and services SaaS $131,000,000 06/08/2011 5 years
Deloitte CAT, analytical services, and support SaaS $25,000,000 05/29/2012 5 years
Treasury IT shared services PaaS $9,674,580 10/01/2013 1 year
Treasury Financial management services PaaS $7,075,604 10/01/2013 1 year
Verizon Terremark Data storage/colocation IaaS $4,200,000 01/05/2011a 8 months
Amazon.com Web hosting IaaS $4,200,000 01/05/2011a 8 months
U.S. Department of Justice Automated litigation support SaaS $3,997,840 05/12/2012 5 years

Source: Information taken from the CFPB's responses to the CIGIE cloud computing survey.

a The CFPB initially contracted with Verizon Terremark and Amazon.com for cloud services on January 5, 2011. The contract values and lengths reflected in the table are for the most recent contract extensions the CFPB signed with these two companies on January 1, 2014.

Federal Guidance and Best Practices for Acquiring Cloud Computing Services

Compared to traditional IT contracts, procuring cloud computing services presents agencies with unique and differing risks to manage. For instance, CSPs may store data across multiple facilities across the world. Thus, federal agencies must carefully consider who may have access to data and under what circumstances. To ensure that federal agencies are procuring cloud services in accordance with existing regulations and laws, the Chief Information Officers Council and the Chief Acquisition Officers Council issued guidance on February 24, 2012, for creating effective cloud computing contracts for the federal government.3 This guidance highlights the importance of clearly defining in contracts roles and responsibilities between the CSP and the agency, particularly with respect to information access. The guidance also recommends that agencies establish service-level expectations and monitor CSP compliance, ensure control of federal data through completion of nondisclosure agreements, and include clauses in contracts or agreements outlining procedures for conducting forensic investigations and electronic discovery (e-discovery).

Guidance issued by NIST on cloud computing and procurement of IT services also provides best practices that agencies may consider when acquiring cloud services. For instance, NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations, May 2012, notes that an agency should develop a business case for moving to the cloud that considers the readiness of existing applications for cloud deployment, transition and life cycle costs, and security and privacy requirements. Further, NIST Special Publication 800-35, Guide to Information Technology Security Services, October 2002, presents factors for agencies to consider when selecting, implementing, and managing IT security services and providers. These factors can also apply to the procurement of cloud services and include consideration of viable alternatives, development of cost estimates, and formalization of service-level agreements (SLAs) with specific clauses and terms unique to each organization.