The Federal Deposit Insurance Corp. (FDIC) reportedly is addressing concerns raised by its Office of Inspector General (OIG) over an external wireless network solution cloud service that was deployed prior to a 2018 risk management framework update by the National Institute of Standards and Technology (NIST), according to a response included with an OIG memorandum released Thursday.
The OIG, in its Aug. 17 memorandum recounting its findings and concerns, said the wireless solution, which allows users to set up, monitor, and configure wireless networks through a cloud-based service, has been used to set up secure wireless networks during bank closings; for examiner courses with a need for an external internet connection; and for setting up mobile devices.
Based on an August 2018 determination that the wireless solution was a non-cloud outsourced service – noting the service did not fully meet NIST’s definition of a cloud solution – the wireless solution project team determined the solution did not require an agency official’s authorization to operate (ATO) but was instead subject to the Chief Information Officer Organization’s (CIOO) outsourced solution assessment methodology (OSAM). In December 2018, NIST issued a publication that integrated security-related, supply chain risk management concepts into its risk management framework for information systems and organizations, which the OIG noted made the OSAM “redundant.”
This new, mandatory change superseded the assessment methodology used for the FDIC’s wireless solution, the OIG said. Besides urging additional review and risk mitigation, the OIG said it was important to note also that the FDIC’s cyber risk management section (CRM) had not been aware of different divisions’ use of the tool. It said it “is important that the CRM is aware of all uses of the Wireless solution in the FDIC environment to ensure risks are fully evaluated …”
The FDIC’s chief information security officer, in a response Aug. 10 to the OIG’s concerns, acknowledged that the wireless service – in fact, several of the agency’s legacy systems – were not within the requirements of NIST’s revised framework and that work was underway to correct that.