The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its audit of the FDIC’s Information Security Program--2020. The OIG engaged a contractor firm to conduct this audit. The FDIC’s overall information security program was operating at a Maturity Level 3 (Consistently Implemented) on a scale of 1-5. Programs operating below a Maturity Level 4 are not considered effective.
The FISMA report describes security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk.
Risk Management. The FDIC had not fully defined its Enterprise Risk Management governance, roles, and responsibilities. In addition, the FDIC had not yet implemented recommendations to integrate privacy into its Risk Management Framework (RMF), nor did the FDIC always address Plans of Action and Milestones (POA&Ms) in a timely manner.
Risk Acceptance Decisions Not Consistently Reassessed. The FDIC did not consistently review its existing Acceptance of Risk (AR) documents after they were initially established, nor did it submit ARs for re-approval. Therefore, it cannot effectively assess the level of risk it is incurring relative to established Risk Tolerance levels.
Unauthorized Software on the Network. In May 2020, the FDIC discovered an unauthorized commercial software application installed on 32 desktop workstations, and the application had not been approved by the FDIC’s IT governance bodies or subject to established configuration management processes. Notably, the FDIC’s Office of the Chief Information Security Officer had previously raised security concerns about this same software. The FDIC subsequently removed the unauthorized software from the workstations.
Privacy Control Weaknesses Not Fully Addressed. The FDIC had not completed actions to address previously-identified privacy control weaknesses, such as integration of privacy considerations into its Risk Management Framework; implementation of its planned Document Labeling initiative; establishment of controls to effectively secure Personally Identifiable Information (PII) stored in network shared drives; and disposal of PII within established timeframes.
Oversight and Monitoring of Outsourced Systems Not Adequate. In June 2020, the FDIC rescinded its Outsourced Solution Assessment Methodology (OSAM) used to assess security and privacy risks associated with outsourced information systems because it did not align with National Institute of Standards and Technology guidance. As a result, the FDIC had not properly categorized some of its systems covered by OSAM or subjected these systems to a proper risk assessment, authorization to operate, and ongoing monitoring.
Cloud-based Systems Not Subject to Annual Control Assessments. As of April 2020, the FDIC had 14 cloud‑based systems that provided critical IT services. The FDIC did not subject these cloud-based systems to required annual control assessments.
We made eight recommendations for the FDIC to reassess its risk acceptance decisions in accordance with policy; implement control improvements to prevent the unauthorized installation of software on the network; and complete actions to address open POA&Ms related to baseline configurations. We also recommended that the FDIC assess and improve controls for managing administrative accounts; implement a process to ensure all outsourced information systems are subject to the RMF; and ensure all cloud-based systems are subject to annual security and privacy control assessments. Finally, we recommended that the FDIC update its IT contingency planning policy and incorporate additional scenarios into its IT contingency plan testing. FDIC Management concurred with the eight recommendations in the report.