On October 31, the Fed’s Office of Inspector General (OIG) released its annual Federal Information Security Modernization Act audit of the CFPB’s information security program, concluding the program’s maturity level declined from the prior year and was no longer effective. The report cited lapses in maintaining authorizations to operate various systems, insufficient cybersecurity risk analyses, and continued use of outdated software as contributing to the decline in effectiveness. Specifically, the audit identified two main findings: (i) the Bureau lacked cybersecurity risk profiles to help assess, tailor and prioritize its cybersecurity approach; and (ii) the CFPB did not consistently maintain system authorizations, thus increasing risks to sensitive data.

To address these issues, OIG made six new recommendations segmented by finding. For cybersecurity risk profiles, OIG issued three recommendations: (i) define and leverage appropriate enterprise risk management roles, responsibilities and strategy components for developing and maintaining cybersecurity profiles; (ii) implement cybersecurity risk registers to “aggregate, normalize, and prioritize” risks; and (iii) develop policies and procedures to create and maintain cybersecurity profiles.

For systems authorizations, OIG recommended that the Bureau: (i) review previously granted risk acceptance memoranda (RAMs) to determine “whether they were based on a complete review” and conduct additional risk analysis or implement compensating controls as needed; (ii) ensure RAMs assess both qualitative and quantitative cybersecurity risks; and (iii) consider options for “ongoing information continuous monitoring activities” aligned with the current threat landscape.

The audit reported that CFPB management concurred with all six recommendations and outlined actions and timelines to address each. For the cybersecurity risk profile recommendations, management stated it planned to update templates, further the development and maintenance of cybersecurity profiles, enhance risk aggregation tools, and incorporate new NIST requirements into its enterprise risk management framework, with completion targeted for the fourth quarter of fiscal year 2026.

For the system authorization recommendations, the Bureau committed to conducting a comprehensive review of active risk acceptances, evaluating, and where appropriate, updating risk-based decision processes, and strengthening continuous monitoring activities, with actions scheduled for completion during fiscal year 2026. OIG stated that all of the Bureau’s responses to the recommendations were “responsive.”