CFPB Report: 2025-IT-C-012 October 31, 2025
Each year, we audit the CFPB's information security program as required by the Federal Information Security Modernization Act.
The maturity level of the CFPB's information security program has decreased since last year, leading us to conclude the program is no longer effective. For example, authorizations to operate for many systems are not maintained, risk acceptance memorandums lack documented analysis of cybersecurity risks, and outdated software remains in use. While the agency was able to maintain or even strengthen information security in some areas, such as transitioning to continuous vetting of employees, those efforts do not mitigate the overall decline.
We are making six new recommendations to strengthen the CFPB's information security program. In addition, the CFPB has addressed three recommendations from our previous FISMA audits, leaving eight previous recommendations that remain open.
