OIG: 2024 Audit of the CFPB's Information Security Program

<!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/> <meta property="og:title" content="OIG: 2024 Audit of the CFPB's Information Security Program"/> <meta property="og:image" content="https://oig.federalreserve.gov/images/OIG-twitter-card-small.png"/> <meta property="og:description" content="The OIG provides independent oversight of the Board and the CFPB to improve their programs and operations and to prevent and detect fraud, waste, and abuse."/> <meta property="og:url" content="https://oig.federalreserve.gov/reports/cfpb-information-security-program-oct2024.htm" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OIGFedCFPB" /> <meta name="twitter:title" content="2024 Audit of the CFPB's Information Security Program" /> <meta name="twitter:description" content="Each year, we audit the CFPB’s information security program as required by the Federal Information Security Modernization Act. The CFPB’s information security program remains effective as a whole." /> <meta name="twitter:image" content="https://oig.federalreserve.gov/images/OIG twitter card small.png" /> <meta name="twitter:image:alt" content="Seal of the Office of Inspector General" /> <title>OIG: 2024 Audit of the CFPB's Information Security Program - CFPB Report 2024-IT-C-019</title> <link rel="icon" type="image/x-icon" href="/gifjpg/favicon.ico"/> <link href="/_/includes/fancybox-5.0.36/fancybox.css" rel="stylesheet" type="text/css" media="screen" /> <link href="/_/includes/main.css" rel="stylesheet" type="text/css" media="screen"/> <link href="/_/includes/print.css" rel="stylesheet" type="text/css" media="print"/>  <style type="text/css"> .share-page{margin-bottom: 30px;} .icon-email-link, .icon-twitter, .icon-signup-email-updates, .icon-rss {color:#00416B;font-size: 1.8em;} .share-this-page li{float: left;} .icon-email-link{left: 30px;} .stay-connected ul li a {color: #666;font-weight: normal;height: 30px;padding-left: 0;padding-right: 0;text-decoration: none;width: 30px;} .stay-connected ul li {font-size: 12px;padding-bottom: 0;} .twitter-link{left: 40px;} .linkedin-link{left: 80px;} .stay-connected-container li{padding-bottom: 0;} .stay-connected-container .rss-link{margin-left: 40px;} .stay-connected-container .twitter-link{left: 80px;} .stay-connected-container .linkedin-link{left: 120px;} .icon-linkedin{ background-image: url("/_/includes/images/linkdin-icon-21px.png"); background-repeat: no-repeat;display: block;width: 37px;height: 30px; } .icon-twitter-svg{ background-image: url("/_/includes/images/Twitter_Logo_Blue.svg"); background-repeat: no-repeat;background-position: -9px -9px;display: block; width: 40px; height: 40px; } </style> <script type="text/javascript" language="javascript" src="/resources/exit_Disclaimer.js"></script> <script type="text/javascript" language="javascript" src="/resources/jquery.min.js"></script> </head> <body> <noscript><div class="external-links-disclaimer"><p> If you are seeing this message, Javascript is disabled. Disclaimer for all external links found on this page: The Office of Inspector General (OIG) for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau does not necessarily endorse the views expressed or the facts presented on the external sites. The OIG does not endorse any commercial products that may be advertised or on the external sites. The OIG's privacy policy does not apply on the external sites. Please check the site for its privacy notice. </p></div></noscript> <div id="skiptonav"><a href="#primary-navigation">Skip to Navigation</a></div> <div id="skiptocontent"> <a href="#maincontent">Skip to Main content</a> </div> <div id="supplementary-navigation-con" class="con"> <div id="supplementary-navigation" class="nav container clearfix"> <button class="icon-search"></button> <button class="icon-toggle icon-list"></button> <a href="/hotline.htm" class="mobile-hotline">Hotline</a> <ul> <li><a href="/faq-about-oig.htm">FAQs</a></li><li><a href="/careers.htm">Careers</a></li><li><a href="/contact-us.htm">Contact Us</a></li> </ul> </div> </div> <div class="container">  <div class="svg-test BrandImage" id="branding"> <a title="OIG Home" href="/default.htm"> <svg width="100%" height="100%"> <title>OIG Home</title> <image xlink:href="/images/oig-logotype.svg" src="/images/oig-logotype.png" width="100%" height="100%" /> </svg> </a> </div> <div class="seal2"> <a title="OIG Home" href="/default.htm"> <svg width="100%" height="100%"> <title>OIG Home</title> <image xlink:href="/images/oig-seal-hdr-embed.svg" src="/images/oig-seal-hdr.png" width="100%" height="100%" /> </svg> </a> </div> <form id="search" action="//www.fedsearch.org/oig_search/search" method="get"> <div> <label for="searchbox">Search full text of reports and pages:</label> <input type="text" id="searchbox" name="text" value=""/> <a href="javascript:void(0)" onclick="document.getElementById('search').submit();"> <span class="icon-search"></span> <span class="screen-reader">Search</span> </a> </div> </form> </div> <div class="con" id="primary-navigation-con"> <div class="nav container clearfix" id="primary-navigation"> <ul class="nav"> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/aboutus.htm">About Us</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/introduction.htm">Introduction to the OIG</a> </li> <li class="dropdown"> <a href="/the-inspector-general.htm">The Inspector General</a> </li> <li class="dropdown"> <a href="/senior-leadership.htm">Senior Leadership</a> </li> <li class="dropdown"> <a href="/strategic-plan.htm">Strategic Plan</a> </li> <li class="dropdown"> <a href="/diversity-equity-inclusion-accessibility.htm">Diversity, Equity, Inclusion, and Accessibility</a> </li> <li class="dropdown"> <a href="/inspector-general-act.htm">Inspector General Act</a> </li> <li class="dropdown"> <a href="/board-activity.htm">Board Activity</a> </li> <li class="dropdown"> <a href="/cfpb-activity.htm">CFPB Activity</a> </li> <li class="dropdown"> <a href="/pandemic-oversight.htm">Pandemic Response Oversight</a> </li> <li class="dropdown"> <a href="/faq-about-oig.htm">FAQs</a> </li> </ul> </li> <li class="dropdown active"> <a class="dropdown-toggle" data-toggle="dropdown" href="/reports.htm">Reports</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown Level3Selected"> <a href="/reports/audit-reports.htm">Audit Reports</a> </li> <li class="dropdown"> <a href="/reports/work-plan.htm">Work Plan</a> </li> <li class="dropdown"> <a href="/reports/semiannual-report-to-congress.htm">Semiannual Reports to Congress</a> </li> <li class="dropdown"> <a href="/reports/major-management-challenges.htm">Major Management Challenges</a> </li> <li class="dropdown"> <a href="/reports/open-recommendations.htm">Open Recommendations</a> </li> <li class="dropdown"> <a href="/reports/peer-reviews.htm">Peer Reviews</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/audits.htm">Audits</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/audits-what-we-do.htm">What We Do</a> </li> <li class="dropdown"> <a href="/audit-oversight-areas.htm">Oversight Areas</a> </li> <li class="dropdown"> <a href="/audit-highlights.htm">Audit Highlights</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/investigations.htm">Investigations</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/investigations-what-we-do.htm">What We Do</a> </li> <li class="dropdown"> <a href="/fraud-prevention.htm">Fraud Prevention</a> </li> <li class="dropdown"> <a href="/investigations-case-highlights.htm">Case Highlights</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/infotech.htm">Information Technology</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/it-what-we-do.htm">What We Do</a> </li> <li class="dropdown"> <a href="/fisma.htm">FISMA</a> </li> <li class="dropdown"> <a href="/data-analytics.htm">Data Analytics</a> </li> </ul> </li> <li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href="/newsroom.htm">Newsroom</a> <a class="sub-nav-toggle"><span class="icon-chevron-down"></span></a> <ul class="sub-nav"> <li class="dropdown"> <a href="/releases/media-contact.htm">Media Contact Information</a> </li> <li class="dropdown"> <a href="/releases/news-releases.htm">News Releases</a> </li> <li class="dropdown"> <a href="/releases/media-kit.htm">Media Kit</a> </li> </ul> </li> <li class="sup-mobile"><a href="/faq-about-oig.htm">FAQs</a></li><li class="sup-mobile"><a href="/careers.htm">Careers</a></li><li class="sup-mobile"><a href="/contact-us.htm">Contact Us</a></li> </ul> <a href="/hotline.htm"><div class="hotline"><H3>HOTLINE</H3> <P>Report Fraud, Waste, or Abuse</P></div></a> </div> </div> <div class="container landing-page"> <div class="content" id="secondary-content"> <h3 class="label">IN THIS SECTION</h3> <div class="breadcrumbs"><ul> <li class="dropdown Level3Selected"> <a href="/reports/audit-reports.htm">Audit Reports</a> </li> <li class="dropdown"> <a href="/reports/work-plan.htm">Work Plan</a> </li> <li class="dropdown"> <a href="/reports/semiannual-report-to-congress.htm">Semiannual Reports to Congress</a> </li> <li class="dropdown"> <a href="/reports/major-management-challenges.htm">Major Management Challenges</a> </li> <li class="dropdown"> <a href="/reports/open-recommendations.htm">Open Recommendations</a> </li> <li class="dropdown"> <a href="/reports/peer-reviews.htm">Peer Reviews</a> </li> </ul></div> <div> <span class="skipSection"><a href="#182">Skip SHARE THIS PAGE section</a></span> <div class="section stay-connected share-page share-page"> <h3 class="label">SHARE THIS PAGE</h3> <ul class="share-this-page"> <li class="email-link"><a href="/cdn-cgi/l/email-protection#0a586f69637a636f647e4f676b636635797f68606f697e37383a383e2a4b7f6e637e2a656c2a7e626f2a494c5a48" s Information Security Program&body=https://oig.federalreserve.gov/reports/cfpb-information-security-program-oct2024.htm'><span class="icon-email-link"></span></a></li> <li class="twitter-link"> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Ftwitter%2Ecom%2Fshare%3Furl%3Dhttps%3A%2F%2Foig%2Efederalreserve%2Egov/reports/cfpb-information-security-program-oct2024.htm','external',true)\"><span class='icon-twitter-svg'></span></a>");</script> <noscript><a href="https://twitter.com/share?url=https://oig.federalreserve.gov/reports/cfpb-information-security-program-oct2024.htm" target="_blank"><span class='icon-twitter-svg'></span></a></noscript> </li> <li class="linkedin-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Fwww%2Elinkedin%2Ecom%2FshareArticle%3Fmini%3Dtrue%26url%3Dhttps%3A%2F%2Foig%2Efederalreserve%2Egov/reports/cfpb-information-security-program-oct2024.htm','external',true)\"><span class='icon-linkedin'></span></a>");</script> <noscript><a href="/reports/cfpb-information-security-program-oct2024.htm" target="_blank"><span class='icon-linkedin'></span></a></noscript> </li> </ul> </div> <a id="182" name="182"></a> <span class="skipSection"><a href="#417">Skip STAY CONNECTED section</a></span> <div class="section stay-connected share-page subscribe"> <h3 class="label">STAY CONNECTED</h3> <ul class="stay-connected-container"> <li class="rss-link"></span><a href="/feeds/rss_feeds.htm"><span class="icon-rss"></a></li> <li class="signup"></span><a href="/oig_subscribe.htm"><span class="icon-signup-email-updates"></a></li> <li class="twitter-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Ftwitter%2Ecom%2FOIGFedCFPB','external',false)\"><span class='icon-twitter-svg'></span></a>");</script> <noscript><a href="https://twitter.com/OIGFedCFPB" target="_blank"><span class='icon-twitter-svg'></span></a></noscript> </li> <li class="linkedin-link"> <script type="text/javascript">document.writeln("<a href=\"javascript:exitWindow('https%3A%2F%2Fwww%2Elinkedin%2Ecom%2Fcompany%2Foig%2Dfederalreserve%2Dcfpb','external',false)\"><span class='icon-linkedin'></span></a>");</script> <noscript><a href="https://twitter.com/OIGFedCFPB" target="_blank"><span class='icon-linkedin'></span></a></noscript> </li> </ul> </div> <a id="417" name="417"></a></div> </div> <div class="work-plan-container"> <p><strong>CFPB Report: </strong><span class="report-number">2024-IT-C-019 </span><span class="date">October 31, 2024</span></p> <div> <div class="report-header-container"> <div><a id="maincontent"></a><h1>2024 Audit of the CFPB's Information Security Program</h1></div> <div class="style-report-navigation"> </div> </div> <div class="report-header-container-aside"> <h2>available formats</h2> <ul> <li> <h3>Summary:</h3> <a href="/reports/cfpb-information-security-program-summary-oct2024.pdf">PDF </a> | HTML </li> <li> <h3>Full Report:</h3> <a href="/reports/cfpb-information-security-program-oct2024.pdf">PDF (2 MB)</a> </li> </ul> </div> </div> </div> <div class="style-content"> <div class="style-report-text" style="float:left"> <p>Each year, we audit the CFPB's information security program as required by the Federal Information Security Modernization Act.</p> <p>The CFPB's information security program remains effective as a whole. In addition, the agency has strengthened its program since our last review, for instance, by adding near-real-time updates to security training. Still, to remain effective, the CFPB's program can be further strengthened in several areas, such as configuration management and data loss prevention.</p> <p>This report includes eight new recommendations to strengthen the CFPB's information security program and details the agency's progress in addressing our previous recommendations.</p> </div> </div> </div> <span id="mobile-placeholder"></span> <div class="wrapper-footer">  <div class="footer container" id="body-footer"> <div class="container about-fed-cfpb"> <h3 class="label">LINKS TO THE BOARD AND THE CFPB</h3> <ul> <li class="fed-seal"><a href="//www.federalreserve.gov/" target="_blank" title="Board of Governors">Board of Governors</a></li> <li class="cfpb-logo"><a href="http://www.consumerfinance.gov/" target="_blank" title="Consumer Financial Protection Bureau">Consumer Financial Protection Bureau</a></li> </ul> </div><div class="container related-sites"> <h3 class="label">RELATED SITES AND RESOURCES</h3> <ul> <li><a href="http://www.gao.gov/" target="_blank">U.S. Government Accountability Office</a></li><li><a href="http://www.ignet.gov/" target="_blank">Council of the Inspectors General on Integrity and Efficiency</a></li><li><a href="http://www.treasury.gov/about/organizational-structure/ig/Pages/Council-of-Inspectors-General-on-Financial-Oversight.aspx" target="_blank">Council of Inspectors General on Financial Oversight</a></li><li><a href="https://oversight.gov/" target="_blank">Oversight.gov</a></li> </ul> <ul > <li><a href="/sitemap.htm">Sitemap</a></li><li><a href="//www.federalreserve.gov/accessibility.htm" target="_blank">Accessibility</a></li><li><a href="//www.federalreserve.gov/disclaimer.htm" target="_blank">Disclaimer</a></li><li><a href="//www.federalreserve.gov/privacy.htm" target="_blank">Privacy</a></li> </ul> <ul > <li><a href="//www.federalreserve.gov/foia/about_foia.htm" target="_blank">FOIA</a></li> <li><a href="//www.federalreserve.gov/eeo.htm" target="_blank">No Fear Act Data</a></li> <li><a href="http://www.usa.gov/" target="_blank"><img src="/gifjpg/usagov_logo_color_notag.gif" title="usa.gov logo: USA.gov is the U.S. government's official web portal to all federal, state, and local government web resources and services" alt="usa.gov logo: USA.gov is the U.S. government's official web portal to all federal, state, and local government web resources and services" style="width: 75px; height: 21px; margin-left: -11px;"/></a></li> </ul> </div> </div> </div> <script src="https://code.jquery.com/ui/1.14.0/jquery-ui.js" integrity="sha256-u0L8aA6Ev3bY2HI4y0CAyr9H8FRWgX4hZ9+K7C2nzdc=" crossorigin="anonymous"></script> <script type="text/javascript" language="javascript" src="/resources/oig_Custom.js"></script>  <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8e76332a7aa54a95',t:'MTczMjQxNzc2My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body> </html>

CINXE.COM

OIG: 2024 Audit of the CFPB's Information Security Program - CFPB Report 2024-IT-C-019