CFPB Report: 2013-IT-C-020 December 2, 2013
Overall, we found that the CFPB has taken multiple steps over the past year to develop, document, and implement an information security program that is consistent with FISMA requirements. The CFPB has also taken several actions to strengthen its information security program in the 11 areas outlined in DHS's 2013 FISMA reporting guidance for IGs. We found that the CFPB's information security program is generally consistent with the requirements outlined in DHS's FISMA reporting guidance for IGs in 6 out of 11 information security areas: identity and access management, incident response and reporting, risk management, plan of action and milestones, remote access management, and contractor systems.
We identified opportunities to improve CFPB's information security program through automation, centralization, and other enhancements to ensure that key DHS requirements for continuous monitoring, configuration management, and security training are met. Further, while we found CFPB's information security program to be generally consistent with DHS's requirements for incident response and reporting, we identified opportunities to strengthen CFPB's incident correlation processes. For these improvement areas, we outline below the specific FISMA requirements, CFPB's progress to date in meeting the requirements, work to be done, and provide a corresponding recommendation.
We also identified improvements needed in contingency planning for a select system we reviewed. Our findings and recommendations for this system will be communicated under separate, restricted cover. Finally, we noted that the CFPB is taking sufficient actions to establish a security capital planning program, in accordance with the requirements outlined in DHS's FISMA reporting guidance for IGs. We will continue to monitor CFPB's efforts to improve its security capital planning program as part of our future FISMA audits.
