The Securities and Exchange Commission’s Office of Inspector General released a report stating that the agency “did not fully implement its cloud strategy” and failed to execute an enterprise information technology approach to cloud migration.
According to the report, SEC lacked progress in its 2017 cloud strategy and launched only two pilot programs slated for implementation across an enterprise network. The IG also found that SEC’s contracts didn’t include security requirements and that there were incomplete or missing security assessment reports as well as Federal Risk and Authorization Management Program baseline controls.
“The conditions we observed occurred because the Office of IT had not developed policies and procedures specific to cloud system security, or adequate processes to ensure compliance with FedRAMP baseline controls and enhancements for which the agency is responsible,” the report noted.
“As a result, the SEC has not yet fully realized the potential performance and economic benefits attributed to cloud computing services.”