Audit of the CFPB’s Acquisition and Contract Management of Select Cloud Computing Services

September 30, 2014

Memorandum

The Office of Inspector General (OIG) has completed its report on the subject audit. In January 2014, the Council of the Inspectors General on Integrity and Efficiency (CIGIE) initiated a government-wide review of select agencies' efforts to adopt cloud computing technologies. The CIGIE initiative focused on reviewing cloud computing contracts for inclusion of specific clauses and the agencies' efforts to monitor the performance of cloud service providers. In support of the CIGIE initiative, our objective was to review the Consumer Financial Protection Bureau's (CFPB) acquisition and contract management for Amazon.com's Amazon Web Services and Deloitte's Compliance Analysis Toolkit to determine whether requirements for security, service levels, and access to records were appropriately planned for, defined in contracts, and being monitored. We provided CIGIE with responses to a questionnaire it issued to the select agencies' OIGs under a separate cover. This report includes specific findings and recommendations designed to assist the CFPB in improving its acquisition and contract management processes associated with cloud service providers.

We provided a draft of our report to you for review and comment. In your response, included as appendix B, you concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to address our recommendations.

We appreciate the cooperation that we received from CFPB personnel during our review. Please contact me if you would like to discuss this report or any related issues.