The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) has issued its report on The FDIC’s Adoption of Cloud Computing Services. In 2021, the FDIC began to accelerate its cloud migration to reduce its on-premises infrastructure and modernize its IT portfolio. The FDIC invested significant resources and made IT modernization the main priority of its IT strategy to improve internal operations. The FDIC plans to have most of its mission essential and mission critical systems operating in the cloud by 2024.
According to the FDIC, “mission essential” is defined as a system whose loss would cause a stoppage of the core operations supporting the FDIC’s mission. “Mission critical” refers to a system whose loss would produce a significant impact on the FDIC’s operations, but not its core mission.
Migration to the cloud introduces different security risks and privacy concerns, as cloud environments differ from traditional on-premises IT architectures. In addition, organizations need to align cloud adoption with organizational performance goals by taking into consideration business goals and operational efficiencies when developing and implementing cloud systems. Therefore, it is imperative that organizations have an effective IT modernization strategy to ensure an effective transition occurs and that governance processes are in place to manage different risks.
We performed an audit to determine whether the FDIC has an effective strategy and governance processes to manage its cloud computing services.
Overall, we found the FDIC had effective strategy and governance processes to manage its cloud computing services. However, the FDIC did not adhere to several cloud-related practices recommended by the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST), and FDIC guidance in the following areas:
- Data Inventory for Cloud-Based Systems: The FDIC did not have an inventory of all data assets residing in its cloud environments or a fully developed data catalog (that is, an organized inventory of its cloud data assets).
- Cloud Exit Strategy: The FDIC did not establish an exit strategy as part of its cloud strategy planning to address issues (for example -- triggering events, roles and responsibilities, and portability and transitioning of data) if the FDIC needed to terminate a contract with a cloud service provider.
- Contract Management Plans: The FDIC did not develop Contract Management Plans for all 17 contract actions for cloud services valued at over $546 million.
- Decommissioning Plans for Legacy Systems: The FDIC did not develop disposal strategies and/or decommission plans for legacy systems.
These ineffective governance and strategy controls over cloud computing pose increased risks to the FDIC, including (1) security and privacy concerns due to the lack of visibility into cloud data, (2) inability to effectively move from an existing cloud service provider to another, (3) not identifying and mitigating performance risks and vulnerabilities in cloud contracts, and (4) increased potential for cyber attacks and costs from the lack of disposal strategies for legacy systems.
We determined that the FDIC had effective controls in seven other control areas related to application rationalization, IT governance bodies’ alignment with cloud risks, cloud expenditures, cloud workforce transformation, assessment and authorization, continuous monitoring, and business continuity.
We made nine recommendations to strengthen the strategy and related governance processes for the FDIC’s adoption of cloud computing services. FDIC management agreed with these recommendations and plans to complete corrective actions by September 2024.