OIG, in review of NCUA cloud computing services, urges an enterprise-wide strategy

Recommendations that the federal regulator of credit unions should implement an enterprise-wide cloud computing strategy and develop and implement associated policies, procedures, and standards are provided in an agency inspector general report posted recently to the agency’s website.

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) said it conducted a self-initiated audit to assess the NCUA’s Cloud Computing Services. Its objectives, it said in its report, were to determine whether the NCUA: (1) adequately addressed risk when contracting cloud computing services; and (2) effectively managed operational and security risks of implemented cloud computing services.

The scope of our audit covered cloud computing services from June 1, 2021, through June 1, 2023.

“Our audit determined that the NCUA needs an enterprise-wide approach to cloud computing to effectively contract and manage cloud computing services. Additionally, the NCUA should align policies and procedures with the enterprise-wide approach,” the OIG said in its report. “Our audit also determined the NCUA implemented cloud computing services as the situation or business need occurred. This approach, we believe, has not allowed the NCUA to clearly address federal guidance, has created inconsistent processes, and allowed for decisions and implemented services to be made unsystematically.”

The report included two recommendations for NCUA management:

  • Finalize and implement a comprehensive formalized enterprise-wide cloud computing strategy that, at minimum, addresses the following:
    • Alignment with federal guidance and directives such as Cloud Smart and Executive Order 14028.
    • Prioritization of the use of FedRAMP-authorized systems.
    • Identification of workforce requirements needed to support cloud procurement, implementation, and risk management.
    • Management of risks related to the use of cloud computing services such as secure cloud architecture, data governance, and incident management processes.
  • Develop and implement policies, procedures, and standards that are consistent with the NCUA’s cloud computing strategy and address, at minimum, the following:
    • Coordination, identification, and clarification of responsibilities and processes across all stakeholders for IT service contract reviews, service-level agreements alignment and monitoring, and cloud service incident management.
    • Specific criterion for the prioritization, selection, and use of cloud computing services.
    • Periodic review of contract clauses included for cloud computing services to confirm documentation supporting security requirements are clearly identified to the vendor and security and operational risks are appropriately managed.

NCUA management agreed, noting it expected to complete the first recommendation by this year-end and the second by June 30, 2025.

Audit of the NCUA’s Cloud Computing Services (Report #OIG-24-01)