CFPB Report: 2020-IT-C-014 April 29, 2020
The Federal Information Security Modernization Act of 2014 requires federal agencies to develop and implement a plan of action and milestones process to document and remediate information security weaknesses. As part of our 2019 FISMA audit of the Bureau's information security program, we assessed the effectiveness of the Bureau's POA&M process.
The Bureau has opportunities to strengthen its POA&M process. We found that costs associated with remediating cybersecurity weaknesses listed in POA&Ms were not accurately accounted for. We also identified instances in which the status of cybersecurity weaknesses included in the Bureau's automated solution for POA&M management was inaccurate. These issues may hamper the Bureau's ability to effectively allocate resources to ensure the timely remediation of cybersecurity weaknesses and impair its performance reporting related to POA&M items.
This memorandum contains recommendations.
