Evaluation of the CPSC's Management of Cloud Computing, Shared Services, & Third-Party Systems

View Report

Date Issued

Wednesday, January 31, 2024

Submitting OIG

Consumer Product Safety Commission OIG

Other Participating OIGs

Consumer Product Safety Commission OIG

Agencies Reviewed/Investigated

Consumer Product Safety Commission

Report Number

24-A-01

Report Description

We retained the services of Williams, Adley, & Co.-DC LLP (Williams Adley), an independent public accounting firm, to conduct an evaluation to assess the Consumer Product Safety Commission’s (CPSC) management of its cloud systems, shared services, and third-party systems, from a legal, internal control, and contractual perspective.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
Develop and implement an IT modernization plan. This plan should:i. document an inventory of all legacy systems in operation at the CPSCii. identify the cost associated with the operations and maintenance of thelegacy systems in operation in the current environment at the CPSCiii. identify the resources necessary to modernize each CPSC legacy system(e.g., migrating to a Commercial-Off-The-Shelf solution or shared servicessolution, moving to a cloud environment, etc.)iv. analyze potential opportunities to save money, improve operations, andimprove security through modernizing the CPSC’s legacy systems
2	Yes	$0	$0
Develop and establish a process to monitor the implementation of the IT modernizationplan by documenting the objectives, goals, tasks, milestones, metrics, and funding sourcesassociated with management’s modernization efforts.
3	Yes	$0	$0
Establish and implement a policy and procedure to manage the cloud computing, sharedservices, and third-party system inventory necessary for transitioning to a consumptionbasedservice model.
4	No	$0	$0
The CPSC should develop and implement policies and procedures to periodically reviewsecurity packages from external service providers (such as those hosting cloud, sharedservices, and third-party systems) to ensure that the risks posed by the external serviceprovider are within the CPSC’s risk appetite and tolerance.
5	No	$0	$0
The CPSC should review the external service provider’s customer responsibility matrices,select, tailor, implement the relevant security controls from those matrices and thendocument (and periodically reassess) those controls to support the ongoing authorizationto operate and use decision.