CFPB Report: 2014-IT-C-010 July 17, 2014
The Federal Information Security Management Act of 2002 (FISMA) requires the Office of Inspector General (OIG) to evaluate the effectiveness of the information security controls and techniques for a subset of the agency’s information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the Consumer Financial Protection Bureau’s (CFPB) cloud computing–based general support system (GSS).
The CFPB’s strategic plan emphasizes the need for a flexible, scalable information technology (IT) infrastructure that is capable of meeting current needs and sustaining the agency’s future growth. To meet this objective, the CFPB has invested in a cloud computing–based GSS that provides the IT infrastructure to support the agency’s applications and common enterprise services, such as e-mail, instant messaging, and file storage. The GSS is jointly managed and operated by the CFPB and a third party, and it is classified as a moderate-risk system.
Overall, we found that the CFPB has taken a number of steps to secure its cloud computing–based GSS in accordance with FISMA requirements. However, we found that improvements are needed to ensure that FISMA processes and controls are effective and consistently implemented across all information security areas for the GSS. Our report includes recommendations to strengthen security controls for the GSS in four information security areas: system and information integrity, configuration management, contingency planning, and incident response.
The Chief Information Officer concurred with our recommendations and outlined actions that have been or will be taken to address our recommendations. We will follow up on the implementation of each recommendation in this report as part of our future audit activities related to the CFPB’s continuing implementation of FISMA.
Given the sensitivity of information security review work, our reports in this area
are generally restricted. Such is the case for this audit report.