U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of Security Controls for the FDIC's Cloud Computing Environment

The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on the Audit of Security Controls for the FDIC's Cloud Computing Environment.

Cloud computing offers many potential benefits, including optimizing costs, flexibility, scalability, and enhanced security.  It enables organizations to do more with less by eliminating their on-premises infrastructure with the reduction of servers and staff to support that infrastructure.   While cloud computing offers many benefits, it does not eliminate the customer’s responsibility to manage security risks appropriately. The FDIC continues to expand its cloud presence by migrating its mission essential and mission critical applications into the cloud. The FDIC must ensure that its systems and data within the cloud are secured and that control weaknesses are effectively addressed.  Failure to do so could result in damage and harm to FDIC systems and data, hindering its ability to maintain stability and confidence in the nation’s financial system. 

We engaged with Sikich CPA LLC (Sikich) to conduct an audit of security controls for the FDIC’s cloud computing environment. The objective of this audit was to assess the effectiveness of security controls for the FDIC’s cloud computing environment.  Sikich determined that the FDIC had not effectively implemented security controls in its cloud computing environment in five of nine areas, including Identity and Access Management, Protecting Cloud Secrets, Patch Management, Flaw Remediation, and Audit Logging.  Due to the number of findings and similarities among them, Sikich identified six common themes of security weaknesses listed below:

  1. Insecure Coding Practices: The FDIC cloud platform teams did not consistently implement secure coding practices.
  2. Misconfigured Security Settings: The FDIC cloud platform teams did not consistently configure cloud platform security settings in accordance with cloud service providers and industry best practices.
  3. Least Privilege: The FDIC did not consistently provision access to its cloud-based systems in accordance with the principle of least privilege.
  4. Outdated Software: Cloud platforms relied on outdated software components.
  5. Ineffective Monitoring: The FDIC did not adequately monitor the activity on its cloud-based systems.
  6. Cloud Service Provider Vulnerabilities: Cloud service providers were solely responsible for causing certain vulnerabilities and should be responsible for their remediation.

Sikich made 7 formal recommendations and 48 related technical recommendations to improve cloud security controls in the 6 common themes of security weaknesses listed above. The FDIC concurred with all recommendations and plans to complete all corrective actions by December 30, 2026.

View the Full Report