CFPB Report: November 15, 2011
The audit was performed pursuant to the Federal Information Security Management Act of 2002 (FISMA), which requires that each agency IG conduct an annual independent evaluation of the agency’s Information Security Program and practices.
The CFPB is relying on the Information Security Program and computer systems of Treasury. As part of its 2011 FISMA audit, the Treasury OIG evaluated the effectiveness of Treasury’s Information Security Programs, including controls for 15 systems across Treasury bureaus. One of the systems included in the Treasury OIG’s FISMA review was a general support system that the CFPB is relying on for network infrastructure and connectivity to support a number of applications. To meet our annual FISMA reporting responsibilities for the CFPB and avoid duplication of effort, we relied on the FISMA work performed by the Treasury OIG.
The Treasury OIG contracted with KPMG LLC, an independent certified public accounting firm, to perform its 2011 FISMA audit. Overall, KPMG concluded that Treasury’s Information Security Program and practices for its non-Internal Revenue Service bureaus’ unclassified systems were generally consistent with the requirements of FISMA. KPMG noted, however, that “Treasury’s Information Security Program was not fully effective,” as evidenced by control weaknesses identified for various Treasury systems. Treasury can improve the effectiveness of its Information Security Program and controls for the general support system that CFPB relies on by strengthening risk management, configuration management, and contingency planning controls.
In comments on a draft of our report, the CFPB CIO stated that the CFPB continues to leverage certain services provided by Treasury as an interim means to maintain operational efficiencies. The CIO also noted that a key component of CFPB technology independence is a robust and comprehensive cyber-security program. The CFPB’s cyber security program is aligned to the risk management framework developed by NIST.