OIG Issues Follow-on Audit of the FDIC’s Identity, Credential, and Access Management (ICAM) Program
On June 9, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued an audit report that followed up on issues identified in a prior OIG report issued in September 2015, entitled The FDIC’s Identity, Credential, and Access Management (ICAM) Program (the ICAM Audit Report at https://www.fdicig.gov/reports15/15-011AUD.pdf). The prior report found that the FDIC had not achieved its goal of issuing identity credentials (known as personal identity verification (PIV) cards) to all eligible employees and contractor personnel. Such PIV cards are intended to provide a secure and reliable form of identification to allow individuals access to federally controlled facilities and information systems. In addition, our report found that the FDIC had not established appropriate governance to ensure the ICAM program’s success. The prior ICAM Audit Report included recommendations for FDIC management to define the goals and approach for implementing the program and to establish appropriate governance.
In light of these concerns identified in the prior ICAM Audit Report, we conducted a follow-on audit, the objective of which was to assess the FDIC’s plans and actions to address the recommendations contained in our prior report. We found that the FDIC took responsive action to address the recommendations in our prior report. However, considerable challenges and risks continued to exist. Specifically,
- The FDIC had not established corporate policies and procedures to govern the management and use of PIV cards for physical and logical access. Such policies and procedures are important for ensuring that employees and contractor personnel become aware of, and fully understand and properly carry out, their responsibilities with respect to PIV cards.
- The FDIC did not maintain current, accurate, and complete contractor personnel data needed to manage PIV cards. Absent reliable contractor personnel data, PIV cards may not be issued and revoked in a timely manner, presenting an increased risk of unauthorized access to FDIC facilities and the Corporate network.
- FDIC management had not finalized and approved a plan for retiring the FDIC’s legacy PIV card system. Without such a plan, the FDIC may incur unnecessary costs associated with maintaining the system longer than needed, and sensitive information in the system may not be disposed of in a timely or safe manner.
To address these risks, our report made four recommendations. Management concurred with our recommendations.