The Bureau’s Office of Inspector General (OIG) (which it shares with the Fed) recently issued its 2013 report card on the CFPB’s information security system. While the OIG states in the audit report that the CFPB has made “significant progress in developing, documenting, and implementing its information security program,” the OIG nevertheless found “opportunities” for further improvement.
In its 2012 report, the OIG found that the CFPB has not yet developed, documented or implemented an agency-wide information security program that was consistent with the Federal Information Security Management Act of 2002 (FISMA), which requires agencies to develop, document and implement an agency-wide information security program that meet certain standards. Although the OIG states in the new report that it is “closing out our three FISMA recommendations from 2012? due to the CFPB’s “significant progress,” the OIG also states that the CFPB’s information security program was only generally consistent with the U.S. Department of Homeland Security’s 2013 FISMA reporting guidance for OIGs in 6 out of 11 areas.
The OIG recommends that the CFPB’s Chief Information Officer should (1) strengthen the CFPB’s information security continuous monitoring program through steps that include the use of additional automated tools, (2) develop and implement an organization-wide configuration management plan and a consistent process for patch management, (3) design, develop and implement a role-based security training program for individuals with significant security responsibilities, and (4) ensure that audit logs and security incident information from all relevant sources are centrally tracked, analyzed and correlated. The OIG’s report includes the Chief Information Officer’s response, which outlines steps being taken by the CFPB to address the OIG’s recommendations.
One of the OIG’s 2012 recommendations was for the CFPB’s Chief Information Officer to analyze the CFPB’s oversight processes and information security controls for its third-party service providers and take steps to ensure that those providers met FISMA and CFPB information security requirements. The OIG’s statement in the 2012 report that it is closing out its 2012 recommendations presumably means that the CFPB has satisfied the OIG’s recommendation regarding third-party service providers. However, while stating in the 2013 report that as part of its audit, the OIG “reviewed security controls for a contractor-operated system,” the OIG also states that “[t]he results of our review of security controls for this system will be transmitted under a separate, restricted cover.” Given how much emphasis the CFPB places on third-party monitoring by the entities it supervises, we find it surprising that the OIG has not offered any explanation for why information relating to a CFPB contractor cannot be publicly shared, particularly when the contractor was presumably found to be compliant with information security requirements.