CFPB Report: 2012-AA-C-002 November 15, 2012
We completed our annual Federal Information Security Management Act of 2002 (FISMA) audit of the CFPB. Our specific audit objectives were to evaluate the effectiveness of security controls and techniques for selected information systems and to evaluate compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines provided by NIST, OMB, and the Department of Homeland Security.
In accordance with reporting requirements, our FISMA review included an analysis of the CFPB’s security-related processes in the following areas: risk management, continuous monitoring management, plan of action and milestones, identity and access management, remote access management, configuration management, security training, contractor systems, contingency planning, incident response and reporting, and security capital planning.
Overall, we found that the CFPB has taken several steps to develop, document, and implement an information security program. For example, the CFPB has drafted agency-wide information security and acceptable-use policies, as well as procedures for continuous monitoring and risk management. In addition, the CFPB has developed an inventory of FISMA-reportable systems and a baseline of security controls for its information systems. However, we found that additional steps are needed to fully develop, document, and implement an information security program that is consistent with FISMA.
We recommended that the CIO develop and implement a comprehensive information security strategy that identifies specific goals, objectives, milestones, and resources to establish a FISMA-based information security program; finalize the agency-wide information security policy and develop procedures to facilitate the implementation of the policy; and analyze the CFPB’s contractor oversight processes and information security controls for additional contractor-operated systems and take actions, as necessary, to ensure that FISMA and CFPB information security requirements are met. The CIO concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to strengthen CFPB’s information security program.
