What the Office of Inspector General Evaluated:
The objective was to determine whether the Library has implemented adequate governance controls to ensure that its cloud services are secure, operationally suitable, and cost-beneficial.
What the Office of Inspector General Found:
- The Library is unable to identify current-state cloud services in a reliable and effective manner.
- The Library does not have an actionable cloud strategy.
- The Library has not developed a system administration manual for the Office of the Chief Information Officer Google Services.
- The Library has not performed a gap analysis as part of its cloud strategy workforce development and planning component.
- The Library’s cloud contracts lack detailed service-level information regarding data preservation and migration.
- The Library does not consistently apply the risk management framework to its cloud applications.
- The Library does not consistently implement its cost estimation and monitoring requirements for cloud migrations.
What the Office of Inspector General Recommends:
- Develop a process to ensure that it is able to identify its cloud-hosted systems, as defined by National Institute of Standards and Technology SP 800-145 and CSF ID.AM4.
- Enhance and document its capabilities to ensure that the Office of the Chief Information Office can automatically track and report on the Library’s current-state cloud systems at a level of granularity that can support enterprise architecture and Office of the Chief Information Office reporting of cloud migration metrics and track the Library’s progress toward a planned future state.
- Update its cloud strategy and cloud implementation plan to fully align with the federal Cloud Smart strategy.
- Disseminate the updated documents to management-level Office of the Chief Information Office personnel and individuals within Contracts and Grants Directorate to ensure organization-wide awareness and alignment.
-Develop account management and auditing procedures to support the implementation of the Office of the Chief Information Officer Google Services.
- Provide training to relevant personnel so they can execute the responsibilities documented within the new procedures.
- Ensure the most current System Administration Manuals are available/accessible as needed to enable Library personnel to perform their duties.
- Update the Library’s cloud strategy to include a workforce development and planning component.
- Perform an Office of the Chief Information Office-wide skills gap assessment in support of the Library cloud strategy.
- Based on the results of the Office of the Chief Information Office-wide skills gap assessment, implement any necessary corrective actions.
- Finalize and implement the procurement policies for cloud computing services and IT products and services.
- Ensure that the procurement policies take into consideration the guidelines and recommendations for cloud procurement contained in National Institute of Standards and Technology SP 800-144, Guidelines on security and Privacy in Public Cloud Computing, and National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations.
- Ensure that system security plans or other system-specific documents for current cloud-based systems address data preservation and the migration of data to and from the cloud, as outlined in National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations, sections 3 and 9, respectively.
- Evaluate the alignment of its established low impact externally hosted control baselines with National Institute of Standards and Technology control baselines and document and justify any deviations (i.e., tailoring), with a rationale or an acceptance of the related risk.
- Refine its Plan of Action & Milestones management process to ensure that it reviews reports of overdue plan of action & milestones in a timely manner and to require justification for any delays or extensions.
- Review cloud system continuous monitoring plans to ensure that the control scopes and assessment frequencies are commensurate with the systems’ control baselines. Monitor performance of control assessments accordingly.
- Review the system security plans in Archer to determine the scope of the technical error related to inherited controls. Coordinate with the vendor to identify and implement a solution.
- Conduct an analysis to determine if system security plans for other systems have insufficient tailoring or inherit ance statements and create a plan to address any identified gaps.
- Establish Library-specific cost models for computing, storage, and network services that the Library can use in performing total cost of ownership comparisons and monitoring.
- Ensure the Library’s cloud strategy or implementation plan clearly identifies the need to document and present total cost of ownership comparisons when making hosting determinations.
- Plan and monitor the implementation of its cloud IT investments and complete and submit quarterly and annual IT investment reports with documentation supporting the reported status, if necessary.
