Skip to main content
Report File
Date Issued
Submitting OIG
Consumer Product Safety Commission OIG
Other Participating OIGs
Consumer Product Safety Commission OIG
Agencies Reviewed/Investigated
Consumer Product Safety Commission
Report Number
24-A-01
Report Description

We retained the services of Williams, Adley, & Co.-DC LLP (Williams Adley), an independent public accounting firm, to conduct an evaluation to assess the Consumer Product Safety Commission’s (CPSC) management of its cloud systems, shared services, and third-party systems, from a legal, internal control, and contractual perspective.

Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 5 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

Develop and implement an IT modernization plan. This plan should:i. document an inventory of all legacy systems in operation at the CPSCii. identify the cost associated with the operations and maintenance of thelegacy systems in operation in the current environment at the CPSCiii. identify the resources necessary to modernize each CPSC legacy system(e.g., migrating to a Commercial-Off-The-Shelf solution or shared servicessolution, moving to a cloud environment, etc.)iv. analyze potential opportunities to save money, improve operations, andimprove security through modernizing the CPSC’s legacy systems

2 Yes $0 $0

Develop and establish a process to monitor the implementation of the IT modernizationplan by documenting the objectives, goals, tasks, milestones, metrics, and funding sourcesassociated with management’s modernization efforts.

3 Yes $0 $0

Establish and implement a policy and procedure to manage the cloud computing, sharedservices, and third-party system inventory necessary for transitioning to a consumptionbasedservice model.

4 No $0 $0

The CPSC should develop and implement policies and procedures to periodically reviewsecurity packages from external service providers (such as those hosting cloud, sharedservices, and third-party systems) to ensure that the risks posed by the external serviceprovider are within the CPSC’s risk appetite and tolerance.

5 No $0 $0

The CPSC should review the external service provider’s customer responsibility matrices,select, tailor, implement the relevant security controls from those matrices and thendocument (and periodically reassess) those controls to support the ongoing authorizationto operate and use decision.

Consumer Product Safety Commission OIG

United States