Federal Reports

What the Office of Inspector General Evaluated: 

The objective was to determine whether the Library has implemented adequate governance controls to ensure that its  cloud services are secure, operationally suitable, and cost-beneficial.

What the Office of Inspector General Found: 

-  The Library is unable to identify  current-state cloud services in a reliable and effective manner. 
- The Library does not have an actionable cloud strategy.
- The Library has not developed a system administration manual for the Office of the Chief Information Officer Google Services.
- The Library has not performed a gap analysis as part of its  cloud strategy workforce development and planning component. 
- The Library’s cloud contracts lack detailed service-level information regarding data preservation and migration.
- The Library does not consistently apply the risk management framework to its  cloud applications.
- The Library does not consistently implement its  cost estimation and monitoring requirements for cloud migrations.

What the Office of Inspector General Recommends: 

- Develop a process to ensure that it is able to identify its cloud-hosted systems, as defined by National Institute of Standards and Technology SP 800-145 and CSF ID.AM4.
- Enhance and document its  capabilities to ensure that the Office of the Chief Information Office can automatically track and report on the Library’s current-state cloud systems at a level of granularity that can support enterprise architecture and Office of the Chief Information Office reporting of cloud migration metrics and track the Library’s progress toward a planned future state.
- Update its  cloud strategy and cloud implementation plan to fully align with the federal  Cloud Smart strategy.
- Disseminate the updated documents to management-level Office of the Chief Information Office personnel and individuals within Contracts and Grants Directorate to ensure organization-wide awareness and alignment.                                                                                                                                  
-Develop account management and auditing procedures to support the implementation of the Office of the Chief Information Officer Google Services.
- Provide training to relevant personnel so they can execute the responsibilities documented within the new procedures.
- Ensure the most current System Administration Manuals are available/accessible as needed to enable Library personnel to perform their duties.
- Update the Library’s cloud strategy to include a workforce development and planning component. 
- Perform an Office of the Chief Information Office-wide skills gap assessment in support of the Library cloud strategy.
- Based on the results of the Office of the Chief Information Office-wide skills gap assessment, implement any necessary corrective actions.
- Finalize and implement the procurement policies for cloud computing services and IT products and services.
- Ensure that the procurement policies take into consideration the guidelines and recommendations for cloud procurement contained in National Institute of Standards and Technology SP 800-144, Guidelines on security and Privacy in Public Cloud Computing, and National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations.
- Ensure that system security plans or other system-specific documents for current cloud-based systems address data preservation and the migration of data to and from the cloud, as outlined in National Institute of Standards and Technology SP 800-146, Cloud Computing Synopsis and Recommendations, sections 3 and 9, respectively.
- Evaluate the alignment of its  established low impact externally  hosted control baselines with National Institute of Standards and Technology control baselines and document and justify any deviations (i.e., tailoring), with a rationale or an acceptance of the related risk.
- Refine its  Plan of Action & Milestones management process to ensure that it reviews reports of overdue plan of action & milestones in a timely manner and to require justification for any delays or extensions.
- Review cloud system continuous monitoring plans to ensure that the control scopes and assessment frequencies are commensurate with the systems’ control baselines. Monitor performance of control assessments accordingly.
- Review the system security plans in Archer to determine the scope of the technical error related to inherited controls. Coordinate with the vendor to identify and implement a solution.
- Conduct an analysis to determine if system security plans for other systems have insufficient tailoring or inherit ance statements and create a plan to address any identified gaps.  
- Establish Library-specific cost models for computing, storage, and network services that the Library can use in performing total cost of ownership comparisons and monitoring.
- Ensure the Library’s cloud strategy or implementation plan clearly identifies the need to document and present total cost of ownership comparisons when making hosting determinations.
- Plan and monitor the implementation of its  cloud IT  investments and complete and submit  quarterly and annual IT investment reports with documentation supporting the reported status, if necessary.
 

For our final report on our audit of the U.S. Department of Commerce's (the Department's) system security assessment process, our objective was to assess the effectiveness of the Department's system security assessment and continuous monitoring program to ensure security deficiencies were identified, monitored, and adequately resolved. We found the Department did not effectively execute its continuous monitoring and systemassessment process. Specifically, we found the following: I. the Department did not effectively plan for system assessments; II. the Department did not consistently conduct reliable system assessments; III. the Department did not resolve security control deficiencies within defined completion dates; and IV. the Department’s security system of record—i.e., the cyber security asset and management tool—did not provide accurate and complete assessment and plan of action & milestone data.

Registered Investment Adviser Examinations: EXAMS Has Made Progress To Assess Risk and Optimize Limited Resources, But Could Further Improve Controls Over Some Processes, Report No. 571