2025 Audit of the CFPB's Information Security Program

Date Issued

Friday, October 31, 2025

Submitting OIG

Federal Reserve Board & CFPB OIG

Agencies Reviewed/Investigated

Consumer Financial Protection Bureau

Report Number

2025-IT-C-012

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Determine what enterprise risk management roles, responsibilities, and strategy components should be defined and leveraged for the development and maintenance of cybersecurity profiles.
2	No	$0	$0
Develop and maintain cybersecurity risk registers to aggregate, normalize, and prioritize cybersecurity risks.
3	No	$0	$0
Develop policies and procedures to create and maintain cybersecurity profiles.
4	No	$0	$0
Perform a review of previously granted risk acceptance memorandums to determine whether they were based on a complete review of the system or common controls (as required by National Institute of Standards and Technology Special Publication 800-37, Revision 2) and perform additional risk analysis and/or compensating controls as needed for affected systems.
5	No	$0	$0
Ensure that risk acceptance memorandums reflect an assessment of qualitative and quantitative cybersecurity risks, as applicable.
6	No	$0	$0
Evaluate options to perform ongoing information continuous monitoring activities commensurate with the current threat environment.