The Program for Security of FOMC Information requires that access to FOMC information be limited to those with a strict need to know; however, the access control list for the publication system included two Board staff members for whom we could not definitively determine a need to access the system. Further, when distributing the FOMC minutes in the publication system, Monetary Affairs staff did not limit access to the FOMC minutes to a subset of users on the publication system access control list with a need to know. The FOMC Secretariat should strengthen its policies and procedures to help reduce the risk of the FOMC minutes being accessed in the publication system by Board staff without a need to know.
We reviewed the publication system access control list and interviewed Board staff and officials to determine which Board staff had a strict need to know for accessing the system. Based on our review and interviews, we were unable to determine whether two Board staff in the Office of Board Members had a strict need to know for accessing the publication system. After our fieldwork concluded, Board officials stated that the two Board staff mentioned above served as backups to other Office of Board Members staff who perform integral functions in the FOMC minutes publication process. To ensure that access to the publication system is limited to only Board staff with a strict need to know, the Office of Board Members should implement recommendation 2 of this report, and the FOMC Secretariat should strengthen its procedures for determining access to the publication system.
FOMC Secretariat staff had informal notes that described the process for distributing the FOMC minutes within the publication system to Board staff. These notes did not state that access to the FOMC minutes in the publication system should be limited to Board staff with a need to know. In addition, we found that the notes called for the distribution of the FOMC minutes to a broader group of publication system users than may have been necessary, including the two individuals mentioned above and five other Board staff who needed access to the publication system but did not necessarily need routine access to the FOMC minutes. Therefore, the FOMC Secretariat should strengthen its procedures to ensure that access to the FOMC minutes is limited to Board staff with a need to know.
We recommend that the Director of the Division of Monetary Affairs
The Director of the Division of Monetary Affairs agreed with our recommendation. In his response, the Director stated that the Division reviewed and updated the access control list and put in place additional access limits for specific documents within the publication system. The Director indicated that the Division is in the process of formalizing its policies in writing for establishing a need-to-know reason for accessing the publication system and the FOMC minutes.
In our opinion, the actions described by the Director of the Division of Monetary Affairs are responsive to our recommendation. We plan to follow up on the division's actions to ensure that the recommendation is fully addressed.
