Evaluation of the CPSC's Management of Cloud Computing, Shared Services, & Third-Party Systems

Develop and implement an IT modernization plan. This plan should:i. document an inventory of all legacy systems in operation at the CPSCii. identify the cost associated with the operations and maintenance of thelegacy systems in operation in the current environment at the CPSCiii. identify the resources necessary to modernize each CPSC legacy system(e.g., migrating to a Commercial-Off-The-Shelf solution or shared servicessolution, moving to a cloud environment, etc.)iv. analyze potential opportunities to save money, improve operations, andimprove security through modernizing the CPSC’s legacy systems

Develop and establish a process to monitor the implementation of the IT modernizationplan by documenting the objectives, goals, tasks, milestones, metrics, and funding sourcesassociated with management’s modernization efforts.

Establish and implement a policy and procedure to manage the cloud computing, sharedservices, and third-party system inventory necessary for transitioning to a consumptionbasedservice model.

The CPSC should develop and implement policies and procedures to periodically reviewsecurity packages from external service providers (such as those hosting cloud, sharedservices, and third-party systems) to ensure that the risks posed by the external serviceprovider are within the CPSC’s risk appetite and tolerance.

The CPSC should review the external service provider’s customer responsibility matrices,select, tailor, implement the relevant security controls from those matrices and thendocument (and periodically reassess) those controls to support the ongoing authorizationto operate and use decision.