On October 31, OIG for the Fed and the CFPB published its 2024 Audit of the CFPB’s Information Security Program, reporting that the CFPB’s information security program operates effectively at a level-4 (managed and measurable) maturity. While the report noted the CFPB has taken steps to improve its security program since the last review, it included eight recommendations:
- Complete the finalization of an agencywide data classification policy that accounts for the sensitivity of the data maintained by the CFPB.
- Ensure that data classification and sensitivity labels are incorporated into the CFPB’s data loss prevention program.
- Strengthen flaw remediation processes by developing and implementing a process to clearly map identified vulnerabilities to system IP addresses, host names, and remediation owners within the CFPB’s configuration management database.
- Ensure that adequate resources are allocated to reinvestigate CFPB systems users.
- Develop and maintain a ransomware strategy and specific procedures that provide a formal, focused and coordinated approach to respond to ransomware attacks.
- Ensure that testing of mission-essential functions identified in the CFPB’s continuity of operations plan is periodically performed.
- Renew the authorization to use for the CFPB’s governance, risk and compliance tool.
- Implement a process that ensures the cyber risk information in the CFPB’s governance, risk and compliance tool is accurate and maintained.
The CFPB concurred with the recommendations and outlined plans to implement them. OIG will continue to monitor the CFPB’s progress in addressing the recommendations, as well as three unresolved findings from prior audits.
