The overall information security program at the Federal Deposit Insurance Corp. (FDIC) was deemed to be operating at a “maturity level” 4 (out of a possible 5) in an audit report released recently by the agency’s Office of Inspector General (OIG), but the auditing firm also noted “significant security control weaknesses” that could be improved.
The audit was performed in accordance with the May 2021 version of the Department of Homeland Security’s (DHS) Federal Information Security Modernization Act (FISMA) reporting metrics. The rating of 4 in this audit is the second-best rating possible and is defined to indicate the FDIC’s info security program is “manageable and measurable,” according to the report; 5 would mean it is “optimized.”
That said, the outside firm that conducted the audit – Cotton & Company – said it was constrained by the methodology and limitations as required by the DHS FISMA Metrics.
“This mode-based methodology does not seem to fully capture the nature, scope, and magnitude of the risk posture of an agency’s IT security, because it requires the agency to receive the higher rating when there are an equal number of ratings at different levels,” the report stated. “In cases where there is a tie for the most frequent rating, the DHS FISMA Metrics indicate that the agency will be rated at the higher level, even where there is a wide disparity among ratings. The same mode-based scoring system applies at the function area level to calculate the overall agency rating.”
The report notes that the maturity model applied by the DHS FISMA metrics aligns with the five function areas in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: identify, protect, detect, respond, and recover. Like the overall rating, the five individual function ratings range from 1 to 5, with 5 indicating the highest level of maturity. In the 2021 FDIC program audit, the auditing firm assigned 4s to the protect, respond, and recover functions; a 3 to the identify function; and a 2 to the detect function.
As for specific findings, the FDIC OIG said the audit report describes significant security control weaknesses that reduced the effectiveness of the FDIC’s information security program and practices “and that can be improved to reduce the impact to the confidentiality, integrity, and availability of the FDIC’s information systems and risk to data.” It said the FDIC “should ensure a proper sense of urgency and expediency to proactively address and resolve weaknesses in its information security program.” Among the most significant weaknesses identified by Cotton & Company were:
- a high number – 176 – of overdue and unaddressed high- and moderate-risk plans of action and milestones (POA&Ms) in the Cyber Security Assessment and Management system that had scheduled completion dates ranging from March 2010 to July 2021;
- a lack of maturity for the supply chain risk management program (SCRM) (the agency established a directive that contains elements of an SCRM strategy but “has not defined processes and procedures that support the underlying components of the directive,” the report stated);
- need for improvement for administrative account management (administrative accounts are “highly sought-after targets by hackers” and others, the report stated; in this area, weaknesses have been reported in each of the past four FISMA audit reports issued since 2017; during 2021, auditors identified 10 additional open POA&Ms related to privileged user access);
- inadequate oversight and monitoring of FDIC information systems (detect – information security continuous monitoring).
The FDIC OIG said the auditing firm gave six recommendations that, if achieved along with another six outstanding from previous audits, “aim to strengthen the effectiveness of the FDIC’s information security program controls and practices.” The new six recommendations include:
- Develop and implement SCRM processes and procedures in accordance with the Supply Chain Risk Management Program Directive and applicable government guidance.
- Begin tracking completion of identity, credential, and access management (ICAM) milestones of its revised ICAM Roadmap.
- Complete implementation of the privacy continuous monitoring (PCM) process to include updating privacy impact assessments (PIAs) for all required systems.
- Implement document labeling guide requirements across the entire organization as dictated by business needs.
- Perform an analysis of the feasibility of applying the document labeling guide for documents that were created before the issuance of the directive.
- Ensure that the FDIC’s in-house and contractor-managed information systems are subject to a formal authorization process as defined in the risk management framework.