OIG notes 2 cases where background investigations of individuals given ‘privileged’ access to FDIC data weren’t commensurate with risk

A review of 144 contractors and employees given privileged access to Federal Deposit Insurance Corp. (FDIC) information systems and data uncovered two instances where the agency’s background investigations were not commensurate with the risk designations assigned those individuals, a memo released Thursday shows, and one of those individuals, a contractor, was later terminated.

The FDIC Office of Inspector General (OIG) said that during a security controls audit, it “noticed that of the 144 privileged account holders, the FDIC had assigned a ‘high’ risk designation for 132 account holders (92 percent) and had, therefore, conducted a ‘high’ BI [background investigation] for these individuals. For the other 12 privileged account holders consisting of both contractors and employees, the FDIC did not conduct a ‘high’ BI.”

The OIG identified the two cases of note while reviewing the 12 individuals for which the agency did not conduct a ‘high’ background investigation, or one that would be done for a person who was being vetted for a “high-risk” designation level – one that “has the potential for exceptionally serious impact involving duties especially critical to the FDIC’s mission, with broad scope and authority and with major program responsibilities that affect a major computer/automated data processing (ADP) system(s).”

Findings regarding those two individuals are as follows:

  • For one privileged account holder, the FDIC had not conducted a BI commensurate with the risk designation level in the FDIC Corporate Human Resources Information System (CHRIS). “Specifically, the employee was hired as an IT Specialist in June 2020 and placed on a position description (PD) with a moderate risk designation. On February 28, 2021, the FDIC reassigned the employee to a PD with a high risk designation,” the memo states. It notes that the FDIC  initiated an upgraded investigation in March 2021, but due to an administrative error on the associated forms, the upgraded BI was processed at the same moderate risk level and closed. It states that the FDIC questioned the discrepancy in October 2021 and again requested an upgraded investigation, then favorably adjudicated the employee June 1, 2022. But this employee, the memo states, had held privileged access to FDIC’s systems and data for approximately 15 months before the agency had favorably adjudicated the upgraded BI.
  • The memo states that privileged account holders were favorably adjudicated with one exception. “Specifically, we found that the FDIC had conducted a preliminary BI for a contract employee in February 2021 and granted access to a privileged account in April 2021. However, the BI was not adjudicated until November 2021, and the adjudication was unfavorable at that time,” it states. “Based on the adjudication, the FDIC ceased the privileged access and terminated the contractor consistent with its policies and procedures. The contractor had access to privileged accounts for approximately 7 months while the BI was being adjudicated.”

The OIG memo notes that the FDIC, responding to the findings, agreed that procedures could be improved in this area and said it plans to perform follow-up work to further assess risks, with any improvements warranted slated for completion by the end of this calendar year.

Background Investigations for Privileged Account Holders (FDIC OIG Audits, Evaluation and Cyber Memorandum 22-002