Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2014-IT-C-016 September 30, 2014

Audit of the CFPB’s Acquisition and Contract Management of Select Cloud Computing Services

available formats

Purpose

In January 2014, the Council of the Inspectors General on Integrity and Efficiency initiated a government-wide review of select agencies' efforts to adopt cloud computing technologies. In support of this initiative, our objective was to review the Consumer Financial Protection Bureau's (CFPB) acquisition and contract management for Amazon.com’s Amazon Web Services and Deloitte's Compliance Analysis Toolkit to determine whether requirements for security, service levels, and access to records were planned for, defined in contracts, and being monitored.

Background

Cloud computing refers to a model for delivery of information technology (IT) services through on-demand access to a pool of configurable computing resources. Federal agencies, including the CFPB, are increasingly adopting cloud computing to lower IT costs and gain efficiencies.

The CFPB's strategic plan emphasizes the need for a flexible, scalable IT infrastructure that is capable of meeting current needs and sustaining the agency's future growth. To help achieve this objective, the CFPB has contracted with seven cloud service providers (CSPs), including Amazon.com, which hosts the agency's public website, and Deloitte, which provides an application that allows financial companies that are supervised by the CFPB to upload loan file data for analysis by the agency’s examiners.

Findings

Overall, we found that the CFPB's contracts for cloud computing services with Amazon.com and Deloitte included roles and responsibilities, information security requirements, and service-level expectations. We also found that the CFPB has established a process to monitor both contractual and service-level requirements for its CSPs, and that the agency collects and maintains nondisclosure agreements from contractor personnel to protect sensitive information.

We identified opportunities for improvement in the procurement and use of cloud services. Specifically, we found that when the CFPB began operations in July 2011, it used a U.S. Department of the Treasury contract with Amazon.com to quickly meet its IT needs. The agency, however, did not perform its own alternatives and cost analysis at that time. In addition, we found that the CFPB's cloud computing contracts and service-level agreements with both Amazon.com and Deloitte did not include clauses providing the access needed for electronic discovery and performance of criminal and noncriminal investigations. We also found that the CFPB's contract with Deloitte did not include a clause granting the Office of Inspector General the right to examine agency records or detail specific penalties or remedies for noncompliance with contract terms and service levels.

Recommendations

Our report contains four recommendations to assist the CFPB's Chief Information Officer in strengthening processes for the acquisition and contract management of cloud services. Specifically, we recommend that the Chief Information Officer ensure that alternatives and cost analyses are conducted, assess the costs and benefits of negotiating post-award agreements with Amazon.com and Deloitte to include relevant requirements and best practices, ensure that agency guidance used to develop contracts and service-level agreements with CSPs references applicable Federal Acquisition Regulation and best practice contract clauses, and ensure that future CFPB contracts for cloud computing services include relevant requirements and best practice contract clauses. The Chief Information Officer concurred with our recommendations and outlined actions that have been taken or will be implemented to address our recommendations.