The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has issued its audit report pursuant to the Federal Information Security Modernization Act of 2014 (FISMA). The objective of the audit was to evaluate the effectiveness of the FDIC’s information security program and practices. The OIG engaged the firm of Cotton & Company Assurance and Advisory, LLC to perform this work based on guidance from the Office of Management and Budget.
Inspectors General assign maturity level ratings to each FISMA metric, as well as an overall rating, using a scale of 1‑5, where 5 represents the highest level of maturity. The FDIC’s overall information security program was operating at a Maturity Level 4 (i.e., Managed and Measurable).
The FDIC had established a number of information security program controls and practices that were consistent with information security policy, standards, and guidelines. However, the audit report describes security control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices, including:
- The FDIC Needs to Fully Implement a Software Inventory Automation Program to Manage End-of-Life and End-of-Service Assets: The FDIC’s platform for monitoring software assets contained unreliable data that limited the FDIC’s ability to manage software approaching or reached end-of-life or end-of-service.
- The FDIC’s Supply Chain Risk Management (SCRM) Program Lacks Maturity: The FDIC is still developing policies and procedures to address the SCRM finding from the FY 2021 FISMA report. Additionally, the OIG evaluation report of The FDIC’s Implementation of Supply Chain Risk Management (issued March 2022) included nine recommendations, five of which remained unimplemented as of July 28, 2023.
- The FDIC Did Not Remove Accounts Belonging to Separated Personnel in a Timely Manner: The FDIC did not consistently remove accounts for individuals who departed the FDIC. Of the accounts belonging to 44 employees and contractors sampled that departed the FDIC in 2023, six accounts belonging to three employees and two contractors were not disabled within one business day of the user separation as required. Access for the six accounts was removed between 4 and 84 days after the user separation date, including one privileged account.
- The FDIC Did Not Configure Privileged Accounts in Accordance with the Principle of “Least Privilege”: In the OIG’s earlier audit report of the FDIC’s Security Controls Over Windows Active Directory, the OIG identified several instances where accounts were configured with elevated account settings that were not needed for administrators to perform their business roles. In other instances, users had elevated access longer than needed. The OIG issued 15 recommendations, five of which directly related to privileged accounts and remained unimplemented as of July 28, 2023.
- The FDIC Needs to Enforce Cybersecurity and Privacy Awareness Training Requirements: Over 400 personnel did not complete Cyber Security and Privacy Awareness Training as required. As of July 13, 2023 (13 days after the training due date), these users retained access to the FDIC network and resources despite not having completed the required training due to technological issues preventing the application of existing training-related user access restrictions.
The report contains two recommendations related to removal of accounts belonging to separated personnel, and cybersecurity and privacy awareness training. The FDIC concurred with the recommendations and plans to complete corrective actions by June 28, 2024.