The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on The FDIC’s Information Security Program--2022. The audit evaluated the effectiveness of the FDIC’s information security program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA).
Department of Homeland Security (DHS) FISMA Reporting Metrics require OIGs to assess the effectiveness of their agencies’ information security programs and practices using a maturity model. In Fiscal Year 2022, OIGs were required to evaluate a subset of 20 metrics. The FDIC’s information security program was operating at a Maturity Level 4 (managed and measurable). The overall maturity level for FY 2022 was determined by a simple majority where the most frequent level (mode) across the 20 metric questions served as the overall rating. This mode-based scoring methodology does not fully capture the nature, scope, and magnitude of the risk posture of the agency’s IT security. As a result, an agency may still face significant risks even if its rating score is considered to be managed and measurable. We cautioned the FDIC against complacency since deficiencies remain in the information security program at the FDIC.
The FDIC had established certain information security program controls and practices that were consistent with policy, standards, and guidelines. However, the audit describes significant control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices, including:
- The FDIC’s Supply Chain Risk Management Program (SCRM) Lacks Maturity. The FDIC still has not developed policies and procedures or implemented objectives that support the underlying components of its SCRM directive.
- The FDIC Did Not Adequately Oversee and Monitor Information Systems. The FDIC had not completed the authorization for approximately 52 percent of its legacy systems and subsystems, in accordance with the NIST Risk Management Framework.
- The FDIC Did Not Address Flaw Remediation Plan of Actions and Milestones (POA&M) in a Timely Manner. The FDIC had 31 POA&Ms related to flaw remediation open past their estimated completion dates.
- The FDIC Did Not Configure Privileged Accounts in Accordance with the Principle of “Least Privilege.” The FDIC continued to configure accounts with elevated account settings that were not needed for administrators to perform their business roles, and in some instances the FDIC allowed users elevated access longer than needed.
- The FDIC Did Not Fully Implement Its Document Labeling Guide. The FDIC had not yet fully implemented document labeling guide requirements across the organization.
The report contains a recommendation for the FDIC to address the 31 flaw remediation POA&Ms. It also contains a listing of three unimplemented recommendations from prior FISMA reports. The OIG engaged the professional services firm of Cotton & Company Assurance and Advisory, LLC to conduct this audit.