FDIC addressing concerns raised by OIG over wireless network cloud service approved prior to NIST framework change

August 20, 2021 FDIC 0

The Federal Deposit Insurance Corp. (FDIC) reportedly is addressing concerns raised by its Office of Inspector General (OIG) over an external wireless network solution cloud service that was deployed prior to a 2018 risk management framework update by the National Institute of Standards and Technology (NIST), according to a response included with an OIG memorandum released Thursday.

The OIG, in its Aug. 17 memorandum recounting its findings and concerns, said the wireless solution, which allows users to set up, monitor, and configure wireless networks through a cloud-based service, has been used to set up secure wireless networks during bank closings; for examiner courses with a need for an external internet connection; and for setting up mobile devices.

Based on an August 2018 determination that the wireless solution was a non-cloud outsourced service – noting the service did not fully meet NIST’s definition of a cloud solution – the wireless solution project team determined the solution did not require an agency official’s authorization to operate (ATO) but was instead subject to the Chief Information Officer Organization’s (CIOO) outsourced solution assessment methodology (OSAM). In December 2018, NIST issued a publication that integrated security-related, supply chain risk management concepts into its risk management framework for information systems and organizations, which the OIG noted made the OSAM “redundant.”

This new, mandatory change superseded the assessment methodology used for the FDIC’s wireless solution, the OIG said. Besides urging additional review and risk mitigation, the OIG said it was important to note also that the FDIC’s cyber risk management section (CRM) had not been aware of different divisions’ use of the tool. It said it “is important that the CRM is aware of all uses of the Wireless solution in the FDIC environment to ensure risks are fully evaluated …”

The FDIC’s chief information security officer, in a response Aug. 10 to the OIG’s concerns, acknowledged that the wireless service – in fact, several of the agency’s legacy systems – were not within the requirements of NIST’s revised framework and that work was underway to correct that.

OIG memorandum: Concerns Related to the FDIC’s Pending Authorization to Operate Its External Wireless Network Solution Cloud Service

Credit card rewards ‘devalued, denied’ after program terms met, consumers allege to agency

May 9, 2024 0

Credit card rewards are often devalued or denied even after program terms are met, consumers have told the federal consumer financial protection agency, it said in a report released Thursday. The Consumer Financial Protection Bureau (CFPB) further charged that credit [...]
Large banks ‘well positioned’ to absorb financial shock; CRE risk sizable but manageable, Fed governor says

May 8, 2024 0

The capital adequacy and liquidity of the largest and most interconnected financial firms appear “well positioned” to absorb a shock to the financial system, the Federal Reserve Board’s chair of its financial stability committee said Wednesday. Meanwhile, she added, risk [...]
Report finds sexual harassment at FDIC went on ‘far too long’; board chairman’s role highlighted

May 7, 2024 0

A failure to provide a workplace safe from sexual harassment, discrimination, and other interpersonal misconduct went on “for far too many employees and for far too long,” according to a report issued Tuesday by a special committee of the board [...]
Bureau dings Chime, orders it to pay $4.55 million over untimely account-closure refunds

May 7, 2024 0

The financial-technology (fintech) firm Chime Financial must pay a $3.25 million civil money penalty (CMP) and provide at least $1.3 million in consumer redress for its failure to timely provide consumers their account balance refunds after they closed their accounts, [...]
BSA/AML deficiencies noted in Fed order with Montana bank

May 7, 2024 0

First Citizens Bank of Butte, Butte, Mont., is required to bring its operations into compliance with Bank Secrecy Act (BSA) anti-money laundering (AML) rules and regulations under an agreement announced Tuesday by the Federal Reserve Board. In the May 2 [...]
Agencies nudged to act on coordinating identification, tackling of blockchain risks

May 7, 2024 0

Identifying and addressing blockchain risks needs to be addressed by two federal banking regulators, as recommended last year, according to a report issued Tuesday by the congressional watchdog. In separate reports on “open priority recommendations,” the congressional Government Accountability Office [...]