Je veux savoir à propos de…

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices importance to the functioning of the US
financial markets.9 As explained in more detail below, OCC believes the Cloud Implementation will enhance the resiliency of OCCs core clearing, risk management, and data management applications by virtue of OCCs architectural design decisions and the Clouds built-in redundancy, guarantee of persistent availability, and disciplined approach to deployment of Cloud Infrastructure. In particular, the Cloud Implementation will enhance OCCs ability to withstand and recover from adverse conditions by provisioning redundant Compute, Storage, and Network resources in three zones in each of two autonomous and geographically diverse regions. This will afford OCC six levels of redundancy in the Cloud with a primary and secondary Virtual Private Cloud running in a hot/
warm configuration. The hot Virtual Private Cloud will be operational and accepting traffic, while the warm Virtual Private Cloud will simultaneously receive the same incoming data and receive replicated data from the hot Virtual Private Cloud with applications on stand-by. This solution significantly reduces operational complexity, mitigates the risk of human error, and provides resiliency and assured capacity. Finally, the on-premises data center will operate as a separate, logically isolated backup to the six levels of redundancy provided for in the Clouda backup to backups. The onpremises data center will also simultaneously receive incoming data and the replicated data from the CSP
hosted Virtual Private Clouds. The onpremises data center is intended to be used only in the unlikely and extraordinary event that OCC
completely loses access to the CSP.

jspears on DSK121TN23PROD with NOTICES1

ii. Enhanced Security The physical and cyber security standards that OCC has designed to align with the National Institute of Standards and Technology NIST, Cyber Security Framework CSF, and Center for Internet Security CIS
benchmarks will not change in the Cloud Infrastructure. OCC will add meaningful security capabilities and measures provided by the CSP and selected third-party tools to enhance the security of OCCs core clearing, risk management, and data management 9 In this context, resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources. Systems Security Engineering: Cyber Resiliency Considerations for Engineering of Trustworthy Secure Systems, Spec. Publ. NIST SP
No. 800160, vol. 2 2018.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

applications.10 Given the scope of their service, CSPs leverage economies of scale and offer infrastructure and services with specialized configuration, monitoring, prevention, detection, and response tools.11 Furthermore, unique Cloud-specific capabilities, such as services for provisioning credentials and end-to-end configuration change management and scanning, will provide OCC enhanced levels of protection not available in traditional on-premises solutions. Finally, the on-premises data center will be physically isolated from other on-premises networks, such as the development network, with consistent controls and equivalent security tools to that of the Virtual Private Clouds.
Specific security-based risks are examined in more detail below.
iii. Increased Scalability The Cloud Implementation will allow for more scalability of Compute, Network, and Storage resources that support OCCs core clearing, risk management, and data management applications.12 With a Cloud Infrastructure, OCC can quickly provision or de-provision Compute, Storage, or Network resources to meet demands, including elevated trade volumes, and provide more flexibility to model and create development and test environments for back testing and stress testing, as well as other systems development needs. For example, the CSP can support elastic workloads and scale dynamically without the need for OCC to procure, test, and install additional servers or other hardware.
10 Examples of enhanced cloud security capabilities include automated infrastructure deployment that is monitored for change, creating a standardized baseline; default separation between SCI and non-SCI operating domains; and automated and ubiquitous encryption.
OCC has separately submitted a request for confidential treatment to the Commission regarding the Future State: CSP and On-Premises Security Architecture, which OCC has provided in confidential Exhibit 3b to File No. SROCC2021
802.
11 For example, CSPs generally build infrastructure capable of withstanding Distributed Denial of Service DDoS attacks to far greater magnitudes than any one company can. In February 2020, one CSP stated that its infrastructure was targeted by and withstood a sustained DDoS attack of up to 2.3 terabytes per second.
12 OCC will continue to follow existing policies and procedures regarding capacity planning and change management. OCC periodically performs capacity and availability planning analyses that result in capacity baselines and forecasts, as an input to technology delivery and strategic planning to ensure cost-justifiable support of operational business needs. These analyses are based on the collection of performance data, trending, scenarios, and periodic high-volume capacity stress tests and include storage capacity for log and record retention. Results are reported to technology and security leadership as input to performance management and investment planning.

PO 00000

Frm 00065

Fmt 4703

Sfmt 4703

60505

This means that OCC may increase Compute capacity in one or both regions where it operates via manual or automated processes for core clearing, risk management, and data management applications. The rapid deployment of Compute capacity will allow OCC to obtain access to resources far more quickly than with existing physical data centers. The efficiency gains from the increased scalability of the Cloud Infrastructure will allow OCC to run certain back testing processes at a fraction of the time currently required.
These and additional efficiency gains are discussed in more detail below.
Implementation Timeframe OCC expects to launch the new core clearing, risk management, and data management applications into production no earlier than April 1, 2024. The proposed timeline to launch includes several milestones, such as connectivity testing in the first quarter of 2023, external testing in the second quarter of 2023, and certification of readiness from clearing members and exchanges in the first quarter of 2024.
OCC will communicate frequently with stakeholders during this timeframe and will confirm the production implementation date of the proposed launch by Information Memorandum posted to its public website at least eight weeks prior to implementation.13
Anticipated Effect on and Management of Risk Federal Financial Institutions Examination Council Cloud Computing Guidance On April 30, 2020, the Federal Financial Institutions Examination Council FFIEC 14 issued a joint statement to address the use of Cloud computing services and security risk management principles in the financial services sector FFIEC Guidance.15
While the FFIEC Guidance does not contain regulatory obligations, it highlights risk management practices that financial institutions should adopt for the safe and sound use of Cloud computing services in five broad areas 13 See, Timeline to Launch, available at:
https www.theocc.com/Participant-Resources.
14 The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau, and to make recommendations to promote uniformity in the supervision of financial institutions.
15 Available at: https www.ffiec.gov/press/
pr043020.htm.

E:FRFM02NON1.SGM

02NON1