The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has issued its evaluation report pursuant to the Federal Information Security Modernization Act of 2014 (FISMA). The objective of the evaluation was to evaluate the effectiveness of the FDIC’s information security program and practices. The OIG engaged the firm of KPMG, LLP to perform this work based on guidance from the Office of Management and Budget.
Inspectors General assign maturity level ratings to each FISMA metric, as well as an overall rating, using a scale of 1-5, where 5 represents the highest level of maturity. The FDIC’s overall information security program was operating at a Maturity Level 4 (i.e., Managed and Measurable).
The FDIC had established a number of information security program controls and practices that were consistent with information security policy, standards, and guidelines. However, the evaluation report describes security control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices, including:
- The FDIC Did Not Fully Enforce Plan of Actions and Milestones (POA&Ms) Documentation Requirements.
- The FDIC Needs to Enforce Role-Based Training Requirements.
- The FDIC Did Not Fully Implement Audit Logging Requirements on Assessed Information Systems.
- The FDIC Did Not Review Audit Logs at Sufficient Frequency within Cloud Information Systems.
- The FDIC Did Not Remediate Overdue POA&Ms Related to SI-2 (Flaw Remediation).
The report contains three recommendations related to addressing the weaknesses identified during this year’s evaluation. In addition, there are two outstanding recommendations from prior FISMA reports along with other time-sensitive activities warranting the FDIC’s continued attention. The FDIC concurred with the recommendations and plans to complete corrective actions by September 30, 2025.