Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2014-IT-C-020 November 14, 2014

2014 Audit of the CFPB's Information Security Program

available formats

Appendix B: Management's Response

November 13, 2014

Mr. Andrew Patchan, Jr.
Associate Inspector General for Information Technology
Board of Governors of the Federal Reserve System
Consumer Financial Protection Bureau
20th and C Streets, NW
Washington, DC 20551

Thank you for the opportunity to review and comment on the Office of Inspector General's draft report of the 2014 Audit of the CFPB's Information Security Program.

We are pleased that you found that the Bureau continues to improve our FISMA compliance and Information Security posture. The report noted measures taken by the CFPB to implement ongoing security controls testing for CFPB's systems as part of our continuous monitoring process, and also noted that we have improved our patch management practices at the operating system level. During FY2014, the Bureau successfully executed the first full year of Information Security Continuous Monitoring (ISCM) activity, from which we have gleaned valuable insight from ISCM into the methods and metrics that support our continuous authorization model. Our current ISCM strategy and Continuous Diagnostics and Mitigation (CDM) plans coincide with your recommendations conveyed in this year's report and align to our plans and expectations for maturing the program. We appreciate that you have closed 2013's recommendation on continuous monitoring, and the Bureau looks forward to further noteworthy improvements in continuous monitoring in the year to come.

The Bureau is pleased to note that you now record us as consistent with nine of the eleven OIG FISMA areas, specifically continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, plan of action and milestones, remote access management, contractor systems, and security capital planning. We are glad that our efforts to enhance continuous monitoring, configuration management, and security capital planning are reflected in your report, significantly improving the results from last year. In FY2015, we will continue our work to incrementally improve and mature our processes in the areas of security training and contingency planning.

In your report, you noted our progress not only in ISCM, but also our work in configuration management (CM), the ongoing maturation of our CM program, and the progress we have made through the finalization of our organization-wide patch management policy. This policy is one element to our comprehensive plans to improve assurances that software patches are installed in a safe and timely manner, and that systems remain in a compliant, risk-tolerant state. Our existing plans, to improve overall vulnerability management through the use of more advanced CM and vulnerability management tools will result in improvements that address your recommendations in this year's report.

Thank you for the professionalism and courtesy that you demonstrated throughout this review. We have provided comments for each recommendation.


Ashwin Vasan
Chief Information Officer

Response to Recommendations Presented in the Draft IG Report 2014 Audit of the CFPB's Information Security Program

Recommendation 1: Fully implement the CFPB's selected automated solution for assessing security controls and analyzing and responding to the results of continuous monitoring activities.

Management Response: The Bureau concurs with this recommendation. Our ISCM program was established in response to risk management needs in support of the Bureau's progress towards a holistic risk management approach, the Cross-Agency Priorities that had established ISCM as an objective at that time, as well as doctrine and guidance to include NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September, 2011. Our plans for incremental development and improvement of our ISCM automated capabilities mirrors the research and subsequent conclusions simultaneously performed by the Federal CIO Council as described in the United States Government Concept of Operations (CONOPS) for Information Security Continuous Monitoring. The Bureau analyzed doctrine, guidance and the placement of continuous monitoring in our enterprise based upon our risk assessments and continuous authorization model, and selected elements via a "bottom-up" approach that affords us ISCM return on investment with alignment to our risk mitigation and management needs. Going forward, incremental improvements to the automated tools will continue to increase value in our risk management domain.

Recommendation 2: Assess the ISCM implementation options and guidance outlined in the CON OPS and update the CFPB's ISCM strategy, as necessary.

Management Response: The Bureau concurs with this recommendation. Our ISCM strategy capitalizes on the research and recommendations offered in the CON OPS, and aligns closely to the Iterative and Incremental Model via the DHS CDM BPA option as described in the CONOPS. To this end, the Bureau is actively engaged in the Continuous Diagnostics and Mitigation (CDM) program having executed a Memorandum of Agreement between DHS and the Bureau and closely monitoring the program as it evolves. Given the pressing need for relevant technologies and the schedule for CDM procurements, the Bureau is pressing forward with internal capabilities that will be deployed with a Continuous Monitoring module configured so as to integrate with internal scanning and monitoring tools and vulnerability management solutions. This will allow us to integrate the totality of our security lifecycle and system portfolio, with live data from not only the CDM and dashboard but also our own internal tools resulting in Continuous Monitoring across the CFPB technology enterprise. As the Bureau and its technology enterprise evolve and mature, so too will the ISCM strategy to ensure alignment and effectiveness of the program.

Recommendation 3: Strengthen the CFPB's vulnerability management practices by implementing an automated solution and process to periodically assess and manage database and application-level security configurations.

Response: CFPB concurs with this recommendation. Our plans to continue the evolution of vulnerability management in our enterprise are underway, and on-track for further improvements in FY2015. Enhancements to our vulnerability management tool suite are underway with additional modules and capabilities that enable the Bureau to detect and discern potential issues throughout the enterprise and including, among other, the database and application level. The technology will capitalize on the work already accomplished and noted in your report to standardize system build and configurations to establish a sound baseline operating environment. We intend to further our use of standards-based reference data as provided by the National Vulnerability Database via Common Vulnerabilities and Exposures (CVE) and other SCAP (Security Content Automation Protocol) protocols. During our on-going phased deployments, we are maturing our processes and tools to further the use of SCAP and live content feeds from official sources, thus reducing the time it takes to detect (and then mitigate) security problems in our systems.