The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on the FDIC’s Information Security Program--2021. The OIG engaged a contractor firm to conduct this audit, which evaluated the effectiveness of the FDIC’s information security program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA).
Inspectors General (IG) assess the effectiveness of the agency’s information security programs and practices using a maturity model. This maturity model aligns with the five function areas in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover. IGs assign maturity level ratings to each of the five function areas, as well as an overall rating, using a scale of 1-5. The audit determined that the FDIC’s overall information security program was operating at a Maturity Level 4. The DHS FISMA Metrics indicated that the maturity ratings are determined by a simple majority where the most frequent level (mode) across the component questions serves as the domain rating, even where there are wide disparities among ratings.
The audit report also identified significant security control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices, the most significant of which are described below:
High Number of Overdue and Unaddressed High- and Moderate-Risk Plans of Action and Milestones (POA&M). There were 176 high- and moderate-risk open POA&Ms, and the scheduled completion dates ranged from March 2010 to July 2021. Without consistently addressing control deficiencies timely, the FDIC will continue to face an increasing backlog of POA&Ms, leaving its data more vulnerable to security exploits from unmitigated threats.
The FDIC’s Supply Chain Risk Management Program (SCRM) Lacks Maturity. The FDIC has not defined processes and procedures that support the underlying components of its SCRM directive. Without SCRM processes and procedures, the FDIC cannot be sure that its products, system components, systems, and services provided by external parties are maintained consistently with its cybersecurity requirements, thus placing it at increased risk of exploitation through its supply chain.
Administrative Account Management Needs Improvement. Administrative Accounts are highly sought-after targets by hackers and other adversaries who may wish to use the accounts to corrupt data, launch attacks, or conduct other malicious activities. We have reported weaknesses related to Administrative Account management in each of our past four FISMA audit reports issued since 2017. During FY 2021, the FDIC opened 10 additional POA&Ms related to privileged user access. Weaknesses in the FDIC’s processes for managing Administrative Accounts increase the risk of unauthorized activity, such as individuals accessing, modifying, deleting, or exfiltrating sensitive information.
Inadequate Oversight and Monitoring of FDIC Information Systems. Historically, several systems, components, and services that should have been assessed according to the NIST Risk Management Framework (RMF) process were instead mischaracterized as subject to the now-rescinded Outsourced Solution Assessment Methodology. As a result, the FDIC did not subject these systems to a proper risk assessment, authorization to operate (ATO), or ongoing monitoring in accordance with the RMF. As of June 22, 2021, the FDIC had not completed ATOs for 10 operational systems. Until the FDIC subjects all of its systems to the RMF, the FDIC cannot be sure it will identify and address security and privacy risks in a timely manner.
The audit report contained six recommendations for the FDIC to address the weaknesses we identified.