The FDIC OIG issued its 2025 report on the FDIC’s Information Security Program in accordance with statutory FISMA requirements. The objective of this evaluation was to assess the effectiveness of the FDIC’s information security program and practices. We contracted with the firm KPMG LLP to perform this work.
KPMG determined that the FDIC’s overall information security program was operating at a Maturity Level 4 (Managed and Measurable) with respect to the FY 2025 FISMA Metrics.
KPMG found the FDIC’s information security program was generally effective and that the FDIC established several information security program controls and practices that were consistent with FISMA requirements. However, the report describes security control weaknesses that diminished the effectiveness of certain aspects of the FDIC’s information security program and practices. Newly identified security control weaknesses include:
- The FDIC did not implement privileged access review frequency requirements for both of the systems we tested.
- The FDIC utilized an incomplete and inaccurate listing for user recertification for one of the systems we tested.
KPMG made four new recommendations related to weaknesses identified during this year’s evaluation. The FDIC concurred with these recommendations and plans to complete corrective actions by May 29, 2026.