Evaluation of the CPSC's Management of Cloud Computing, Shared Services, & Third-Party Systems

Develop and implement an IT modernization plan. This plan should:

i. document an inventory of all legacy systems in operation at the CPSC
ii. identify the cost associated with the operations and maintenance of the
legacy systems in operation in the current environment at the CPSC
iii. identify the resources necessary to modernize each CPSC legacy system
(e.g., migrating to a Commercial-Off-The-Shelf solution or shared services
solution, moving to a cloud environment, etc.)
iv. analyze potential opportunities to save money, improve operations, and
improve security through modernizing the CPSC’s legacy systems

Develop and establish a process to monitor the implementation of the IT modernization
plan by documenting the objectives, goals, tasks, milestones, metrics, and funding sources
associated with management’s modernization efforts.

Establish and implement a policy and procedure to manage the cloud computing, shared
services, and third-party system inventory necessary for transitioning to a consumptionbased
service model.

The CPSC should develop and implement policies and procedures to periodically review
security packages from external service providers (such as those hosting cloud, shared
services, and third-party systems) to ensure that the risks posed by the external service
provider are within the CPSC’s risk appetite and tolerance.

The CPSC should review the external service provider’s customer responsibility matrices,
select, tailor, implement the relevant security controls from those matrices and then
document (and periodically reassess) those controls to support the ongoing authorization
to operate and use decision.

The CPSC should revisit the scope section of its security assessment policies and
procedures to ensure that they include appropriate consideration for third-party systems.