A new report on FISMA compliance from the Office of the Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial Protection (CFPB) found that the bureau has consistently implemented its information security programs but also called on CFPB to strengthen its enterprise risk management program, among other recommendations.
OIG rated CFPB with a level 3 on FISMA’s maturity model scale, “with the agency performing several activities indicative of a higher maturity level,” according to the report. The report notes that the bureau improved its capabilities in the Respond area, and remained ahead of the Federal government average, although it remains below the Department of Homeland Security’s bar of level 4 for an effective level of security.
The report highlights some of the strong areas for the bureau’s cybersecurity posture.
“The Bureau’s information security continuous monitoring process is effective and operating at level 4
(managed and measurable), with the agency reporting on performance measures related to supporting activities. Further, the Bureau’s incident response process is similarly effective, with the agency using tools to detect and analyze incidents and track performance metrics.”
However, OIG did have recommendations for improvement, including in the bureau’s enterprise risk management (ERM) program.
“Although the Bureau’s risk management program is operating at a level-3 (consistently implemented) maturity, we identified opportunities to mature the program in the areas of ERM, use of automation to support risk management activities, and insider threat management,” the report states.
OIG found that the bureau had not yet determined impacts and mitigation strategies for identified risks, defined risk tolerance levels, or defined how it will use technology to provide a centralized view of risks. The report also highlights the need to strengthen insider risk programs–an effort that is underway at CFPB.
Among the other recommendations in the report, OIG calls for improved tools in the areas of data loss prevention, automated monitoring of database security configurations, and an expanded phishing exercise program. CFPB also needs to improve processes for patching, applying its existing identity management policies, and using contingency testing results to inform decisions at the enterprise level, OIG said.