Report: CFPB should assess risks to cloud systems before their deployment
The Consumer Financial Protection Bureau hasn’t comprehensively assessed risks prior to deploying new cloud systems, according to a recent report.
As a result, CFPB hasn’t issued a Federal Risk and Authorization Management Program provisional authority to operate (P-ATO) for a cloud system supporting its Consumer Response Call Center.
The system itself wasn’t identified in the Federal Reserve Office of Inspector General evaluation of CFPB released July 1, but the agency uses five FedRAMP cloud systems: Amazon Web Services, Amazon’s Content Delivery Services, General Dynamics Information Technology’s Customer eXperience Platform, Salesforce Government Cloud, and CylancePROTECT.
“This oversight presents a heightened security risk, as this cloud system supports processes for consumers who file complaints on financial products and services,” reads the report.
The FedRAMP Joint Authorization Board issues P-ATOs allowing agencies to reuse previously evaluated cloud systems, which CFPB did in this case. But the agency must still issue its own P-ATO to accept the risk of using the system.
CFPB responded to the OIG report that a security assessment and authorization of the cloud system in question will be performed within 90 days.
FedRAMP was established in 2011 to authorize and continuously monitor cloud systems across agencies, but the OIG found that monitoring for security weakness isn’t always performed after deployment. That’s because CFPB lacked an accurate inventory of its cloud systems. However, the agency has since taken steps to automate the inventory process.
The third and final OIG recommendation is that CFPB verify sensitive bureau data is made unrecoverable when cloud providers perform electronic media sanitization — rather than taking them at their word.
CFPB plans to completely migrate to cloud infrastructure by 2022 to reduce costs, improve quality of service and ensure access to the best tech.
A second Federal Reserve OIG report is forthcoming detailing the effectiveness of bureau security for certain FedRAMP cloud systems.