2024 Audit of the CFPB's Information Security Program

Date Issued

Thursday, October 31, 2024

Submitting OIG

Federal Reserve Board & CFPB OIG

Other Participating OIGs

Federal Reserve Board & CFPB OIG

Agencies Reviewed/Investigated

Consumer Financial Protection Bureau

Report Number

2024-IT-C-019

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Complete finalization of an agencywide data classification policy that accounts for the sensitivity of the data maintained by the CFPB.
2	No	$0	$0
Ensure that data classification and sensitivity labels are incorporated into the CFPB’s data loss prevention program.
3	Yes	$0	$0
Strengthen flaw remediation processes by developing and implementing a process to clearly map identified vulnerabilities to system IP addresses, host names, and remediation owners within the CFPB’s configuration management database.
4	No	$0	$0
Ensure that adequate resources are allocated to reinvestigate CFPB systems users as required.
5	No	$0	$0
Develop and maintain a ransomware strategy and specific procedures that provide a formal, focused, and coordinated approach to responding to ransomware attacks.
6	No	$0	$0
Ensure that testing of mission-essential functions identified in the CFPB’s continuity of operations plan is periodically performed.
7	No	$0	$0
Renew the authorizations to use for the CFPB’s governance, risk, and compliance tool.
8	No	$0	$0
Implement a process that ensures the cyber risk information in the CFPB’s governance, risk, and compliance tool is accurate and maintained.