CFPB Report: June 1, 2026
Our objective was to test security controls for three systems in support of our 2025 Audit of the CFPB’s Information Security Program, as required by the Federal Information Security Modernization Act of 2014. After conducting fieldwork from June to September 2025, we identified an issue that we communicated in our 2025 CFPB FISMA report. Specifically, the report details the issue of CFPB systems, including one of the systems selected in our review, operating without authorization to operate or an equivalent risk assessment. We also identified additional areas of interest that we plan to follow up on in our ongoing 2026 CFPB FISMA audit. Because the issues were either already reported or require broader testing beyond the scope of this work, we are now formally closing the three security control reviews.
