RSSThe Consumer Financial Protection Bureau’s method to secure its information systems has weakened in recent months amid a loss of contractors and bureau personnel, according to a recent audit by the Federal Reserve Office of Inspector General.
“Based on the results of our determinations of effectiveness in each domain and function, the CFPB’s overall information security program is not effective,” according to the Oct. 31 report. “We found that the CFPB is not maintaining its authorizations to operate for many systems and is using risk acceptance memorandums without a documented analysis of cybersecurity risks.”
The audit found the bureau has not maintained contractor resources that support continuous monitoring and testing. According to the Office of Inspector General, outdated software on the CFPB’s network includes outdated software that vendors no longer provide security patches and updates for.
“The CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” according to OIG.
This year, the Trump administration issued 1,500 layoff notices to CFPB staff, reducing the number of employees to 200 from 1,700. Though federal courts blocked the layoffs, an appeals court this summer allowed them to continue. In response to the cutbacks, the bureau’s chief risk officer and others in the enterprise risk management office resigned.
According to the audit, the CFPB can improve its information security program by using cybersecurity profiles to tailor its approach. Despite the staffing shortage, the bureau upgraded its processes for responding to potential ransomware incidents and shifted toward a continuous vetting model for employee background reinvestigations. The bureau is also decommissioning and modernizing large technology systems.
