Skip to main content
Report File
Date Issued
Submitting OIG
National Credit Union Administration OIG
Other Participating OIGs
National Credit Union Administration OIG
Agencies Reviewed/Investigated
National Credit Union Administration
Report Number
OIG-24-01
Report Description

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) conducted this self-initiated audit to assess the NCUA’s use of cloud computing services. Our objectives were to determine whether the NCUA: (1) adequately addressed risk when contracting cloud computing services; and (2) effectively managed operational and security risks of implemented cloud computing services. Results of our audit determined that the NCUA needs an enterprise-wide approach to cloud computing to effectively contract and manage cloud computing services. The NCUA should align policies and procedures with this enterprise-wide approach. Our audit also determined the NCUA implemented cloud computing services as the situation or business need occurred to meet mission priorities. We believe this approach has not allowed the NCUA to clearly address federal guidance, has created inconsistent processes, and allowed for decisions and implemented services to be made unsystematically. Therefore, we are making two recommendations in our report and note that management has agreed to both recommendations. Given the current approach to the agency’s cloud computing services, the OIG plans to conduct a follow-up audit on the contracting and risk management of its use of cloud computing services once the recommendations in this report have been implemented.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
2
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 2 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1.OIG-24-01 No $0 $0

Finalize and implement a comprehensive formalized enterprise-wide cloud computing strategy that, at minimum, addresses the following:• Alignment with federal guidance and directives such as Cloud Smart and Executive Order 14028. • Prioritization of the use of FedRAMP-authorized systems. • Identification of workforce requirements needed to support cloud procurement, implementation, and risk management.• Management of risks related to the use of cloud computing services such as secure cloud architecture, data governance, and incident management processes.

2.OIG-24-01 No $0 $0

Develop and implement policies, procedures, and standards that are consistent with the NCUA’s cloud computing strategy and address, at minimum, the following: • Coordination, identification, and clarification of responsibilities and processes across all stakeholders for IT service contract reviews, service level agreements alignment and monitoring, and cloud service incident management. • Specific criterion for the prioritization, selection, and use of cloud computing services. • Periodic review of contract clauses included for cloud computing services to confirm documentation supporting security requirements are clearly identified to the vendor and security and operational risks are appropriately managed.

National Credit Union Administration OIG

United States