September 30, 2014
GAO continues to include protecting the federal government's information systems and the nation's cybercritical infrastructure as a priority for federal agencies. The Office of Inspector General has likewise identified information security as a major management challenge for the CFPB due to the advanced, persistent threat to government information technology (IT) infrastructure. CFPB management needs to continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the U.S. Department of the Treasury (Treasury), and ensuring that personally identifiable information is properly protected.
As the CFPB evolves, it continues to mature and improve its information security program to align to the new guidance provided by the National Institute of Standards and Technology. The CFPB has taken steps over the past year to develop, document, and implement an information security program; however, we have identified opportunities to improve this program through automation, centralization, and other enhancements to ensure that the Federal Information Security Management Act of 2002 (FISMA) requirements are met. Improvements are needed in four high-priority security risk areas: continuous monitoring, configuration management, security training, and incident response and reporting.
CFPB management faces challenges in implementing a continuous monitoring process for all CFPB systems, establishing metrics to gauge the effectiveness of its continuous monitoring program, and implementing automated tools to more comprehensively assess security controls and system configurations. Challenges also exist in developing and implementing an agency-wide configuration management plan. Further, it is difficult for the CFPB to correlate information on incident activity because it does not yet have the capability to analyze security incident information from all relevant sources. Finally, the agency needs to develop and implement a role-based security training program to ensure that individuals with significant security responsibilities for CFPB systems are effectively and efficiently implementing the agency's information security program.
The CFPB has taken steps to develop, document, and implement an information security program. The agency has finalized its information security policy, developed information security procedures and standards in several areas, and developed an information security strategy. The CFPB has also implemented processes that are generally consistent with federal requirements for identity and access management, incident response and reporting, risk management, plans of action and milestones, remote access management, and contractor systems. Further, the CFPB is developing an enterprise architecture that will include security architecture to help guide agency investments in information security.
FISMA requires agencies to develop, document, and implement an agency-wide information security program for the information and information systems that support the operations and assets of the agency, including those provided by another agency, a contractor, or another source. The CFPB relies on a variety of contractor-operated and contractor-maintained systems to meet its mission, including several cloud computing–based systems in which computing resources may be shared with other federal or commercial entities. The agency faces challenges in ensuring that contractors implement the required information security controls.
The risk associated with contractors can be heightened in cloud computing–based environments because the agency may have limited insight or knowledge of the security processes of contractors. The CFPB needs to ensure that cloud providers are implementing requirements for records management, electronic discovery, privacy, and information security. Our audits of CFPB contractor-operated systems have identified several areas for improvement to ensure that the CFPB's information security requirements are met. These areas include incident response and reporting, configuration management, and personnel security.
The CFPB has taken several steps to strengthen its oversight processes to ensure that contractor-operated systems meet FISMA and agency information security requirements. The CFPB has implemented a change control process whereby the security impact of changes to all systems, including contractor-operated systems, is analyzed and approved. The CFPB also has begun implementing a continuous monitoring process whereby security controls for contractor-operated systems are assessed on an ongoing basis.
Transitioning information security and IT resources from Treasury and building the CFPB's IT infrastructure poses challenges for the CFPB. When the CFPB began operations in July 2011, it relied on the IT systems, the IT infrastructure, and the information security program of Treasury. Since then, the CFPB has made progress in transitioning from Treasury; however, the CFPB must address management and technical challenges in its transition to ensure the implementation of a robust IT infrastructure.
The CFPB has encountered scheduling delays in transitioning IT from Treasury and in establishing certain components of its own IT infrastructure. The CFPB continues to rely on Treasury for certain information security program services and systems, including remote access, security awareness training, and incident reporting. The transition will require significant resources and a concerted effort over several years. The CFPB should analyze the costs and benefits of various approaches to developing its IT infrastructure and completing the development and implementation of its enterprise architecture. Further, the agency must ensure that its IT infrastructure is built with appropriate security and privacy controls to protect sensitive information.
The CFPB has developed a phased approach to transitioning IT services from Treasury and developing its IT infrastructure. Having transitioned e-mail, file shares, mobile devices, and other enterprise services to CFPB-managed infrastructure, the agency is making progress toward full technology independence. The CFPB is also in the process of defining its enterprise architecture, which includes the IT technologies, standards, and processes the agency will use to accomplish its mission.
Protecting personally identifiable information in federal systems is critical because its loss or unauthorized disclosure can lead to serious consequences for individuals. The CFPB must continue to ensure that sensitive privacy information is adequately protected within the systems it owns and maintains and within those maintained on its behalf by contractors and other entities.
To accomplish its mission, the CFPB collects, processes, stores, and shares privacy-related information on consumer financial products and services. The CFPB has stated that it does not monitor the accounts of particular consumers and does not track the financial habits or activities of any individual consumer. In the normal course of carrying out its statutory mandate to protect consumers, ensure regulatory compliance, and monitor the consumer financial marketplace for risks to consumers, the CFPB receives information about accounts from consumers who seek the CFPB's help through the Consumer Response function and from the institutions involved in the complaints. In addition, the CFPB performs market monitoring activities, which involve the analysis of market trends and risks to consumers based on aggregated account information.
The CFPB has designated a Chief Privacy Officer, who is responsible for the agency's privacy compliance and operational activities. The CFPB has also developed privacy and breach notification policies, systems of records notices, and privacy impact assessments of various systems that collect or store personal information. Further, the agency has implemented a number of management, operational, and technical controls to ensure that privacy information is adequately protected.