The Office of Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC) has issued its report on the Security of Critical Building Services at FDIC-owned Facilities. The FDIC relies heavily on critical building services to perform mission-essential functions and ensure the health and safety of its employees, contractors, and visitors. These services include electrical power; water; and heating, ventilation, and air conditioning (HVAC); and they may face threats to their uninterrupted operations from numerous sources, such as cyberattacks, insiders, environmental disasters, and other dangers.
The FDIC maintains a Facilities Management Contract with EMCOR Government Services, Inc. (EMCOR), under which the contractor operates, maintains, repairs, and replaces mechanical equipment that supports building services at the FDIC’s Virginia Square facility.
We assessed whether the FDIC had effective controls and practices to protect electrical power, HVAC, and water services at its Virginia Square facility. Our audit focused on security controls over three information systems used by the FDIC, EMCOR, and its subcontractors to monitor, manage, and help ensure the uninterrupted delivery of these critical building services. We also assessed compliance with key security provisions in the Facilities Management Contract.
The FDIC implemented various controls and practices to protect critical building services and ensure their continued delivery. We found, however, that the FDIC did not subject the three information systems to the Risk Management Framework established by the National Institute of Standards and Technology, as required by Office of Management and Budget policy. As a result, we identified ineffective security controls, and a lack of security oversight and monitoring, for all three systems we reviewed. Ineffective security controls increased the risk of unauthorized access to these three systems, which could have led to a disruption of the systems, corruption of the systems’ data, or other malicious activity.
The FDIC also did not maintain signed Confidentiality Agreements for EMCOR or its subcontractor personnel working at the Virginia Square facility, as required by the Facilities Management Contract and FDIC policy. Confidentiality Agreements are important to the security posture of the FDIC, because these personnel had access to the FDIC’s information technology network and sensitive areas in the Virginia Square facility. In addition, the FDIC did not ensure that all EMCOR and subcontractor personnel had completed Information Security and Privacy Awareness Training or Insider Threat and Counterintelligence Awareness Training, as required by FDIC policy.
We made 10 recommendations to address these weaknesses, and FDIC management is taking action to address them.