OIG finds FDIC info security program at a level not considered effective, but says improvements underway

The overall score earned by the information security program of the federal bank deposit insurer shows the agency’s program remains less than effective, according to the metrics used for the evaluation detailed Monday by the agency’s Office of Inspector General (OIG).

The OIG issued a report Monday on its evaluation of the Federal Deposit Insurance Corp. (FDIC) information security program under parameters set by the 2014 Federal Information Security Modernization Act of 2014 (FISMA). The audit utilized the Department of Homeland Security’s reporting metrics, the “IG FISMA Reporting Metrics” and a maturity model that aligns with the five function areas in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover.

Under that maturity model, IGs must assign maturity level ratings to each of the above-noted five function areas, as well as an overall rating, using a scale of 1-5. The five maturity level ratings are (1) Ad Hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized.

The FDIC program’s overall score was Maturity Level 3; programs operating below a Maturity Level 4 “are not considered to be effective,” the report says.

The report notes that the FDIC established a number of information security program controls and practices that were consistent with FISMA requirements, OMB policy and guidelines, and NIST security standards and guidelines. The FDIC also took or was working to take steps to strengthen its information security program controls following the FISMA audit conducted in 2018.

“However, the FISMA report describes security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk,” the report states.

The FISMA requires federal agencies to conduct annual independent evaluations of their information security programs and practices and to report the results to the Office of Management and Budget (OMB). FISMA requires the independent evaluations to be performed by the agency IG or an independent external auditor as determined by the IG.

OIG report: The FDIC’s Information Security Program – 2019