The Federal Deposit Insurance Corp. failed to hold a full inventory of all data assets in its cloud environments, according to a new watchdog audit.
FDIC’s IG in the audit established that although the agency’s governance processes for cloud computing services were effective, it did not adhere to several cloud computing practices recommended by the Office of Management and Budget, the National Institute of Standards and Technology, and existing FDIC guidance.
These include the recommended creation of a cloud exit strategy, which provide the agency with a plan if it need to terminate a contract with a cloud service provider. According to the FDIC’s IG, this was not established.
In addition, the FDIC’s watchdog found that the agency had not developed contract management plans for all 17 contract actions for cloud services at the agency, and that disposal strategies and/or decommission plans for legacy systems did not exist.
FDIC has invested significant resources in IT modernization and plans to have most of its mission essential and mission critical systems operating in the cloud by 2024. According to the agency, “mission essential” is defined as a system whose loss would cause a stoppage of the core operations supporting its mission. “Mission critical” refers to a system whose loss would significantly impact the FDIC’s operations but not its core mission.
In a statement accompanying the report, an FDIC IG spokesperson said: “These ineffective governance and strategy controls over cloud computing pose increased risks to the FDIC, including (1) security and privacy concerns due to the lack of visibility into cloud data, (2) inability to effectively move from an existing cloud service provider to another, (3) not identifying and mitigating performance risks and vulnerabilities in cloud contracts, and (4) increased potential for cyber attacks and costs from the lack of disposal strategies for legacy systems.”
“We made nine recommendations to strengthen the strategy and related governance processes for the FDIC’s adoption of cloud computing services. FDIC management agreed with these recommendations and plans to complete corrective actions by September 2024,” they added.