U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of Security Controls for a Cloud Platform and Application

The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on the Audit of Security Controls for a Cloud Platform and Application.

The FDIC has increasingly adopted cloud services to support its business functions. As of July 2025, the FDIC has migrated several of its mission essential and mission critical applications into a cloud environment. There are many benefits for organizations like the FDIC to migrate to the cloud; notably, the cloud service provider (CSP) has some responsibility for security, lessening the administrative overhead for the FDIC. However, as a cloud customer, the FDIC is still accountable for ensuring that its systems and data that operate in the cloud are secured in accordance with its own security standards.

In September 2024, the FDIC OIG issued a report on the Audit of Security Controls for the FDIC’s Cloud Computing Environment. In that audit, we assessed security controls on four cloud platforms and one Application Program Interface (API) platform. For that audit, our scope originally included a fifth cloud platform – which we refer to as “Platform.” We decided not to perform Platform and Application testing because the Application was undergoing a major upgrade at that time, including the addition of external users (e.g., state regulators and bank users).

We engaged Sikich CPA LLC (Sikich) to conduct a performance audit of security controls for this fifth cloud platform and application. The objective of this audit was to assess the effectiveness of their security controls.  To address this objective, Sikich performed tests of nine IT security control areas for the cloud platform and application. Sikich also assessed policies and procedures, conducted interviews of responsible officials, and conducted penetration testing procedures.  Sikich determined that the FDIC had not effectively implemented security controls in the cloud platform and application in two areas: Identity and Access Management and Protecting Cloud Secrets. The report includes seven technical findings for the cloud platform and application attributed to two overarching themes:

  1. Insecure Coding Practices: The FDIC teams developing cloud platforms did not consistently implement secure coding practices or functions.
  2. Cloud Service Provider Vulnerabilities: The Cloud Service Provider was solely responsible for causing certain vulnerabilities and should be responsible for their remediation.

Sikich made eight recommendations related to the identified control deficiencies and security weaknesses that, if effectively addressed, should strengthen the security controls for the cloud platform and application. The FDIC concurred with all recommendations and plans to complete all corrective actions by March 31, 2026.

View the Full Report