On October 31, OIG for the Fed and the CFPB released its 2024 Audit of the Board’s Information Security Program. The audit found that the Board’s information security program continues to operate at a level-4 (managed and measurable) maturity. Since the 2023 Federal Information Security Modernization Act (FISMA) audit report, the Fed has improved, such as updating personnel security processes to ensure position risk designations are clearly documented and used. However, the audit identified areas where the program’s maturity has decreased, including the need for a supply chain risk management strategy, a review and escalation process for data loss prevention alerts, consistent documentation of systems, vulnerability scanning on mobile devices, annual testing of the incident notification and breach response plan, role-based privacy training, targeted phishing exercises, and ensuring timely incident reporting by cloud service providers.
The report included nine recommendations regarding the Board’s information security program in risk management, supply chain risk management, data protection and privacy, and security training. The Fed concurred with the recommendations and plans to address them with action plans and milestones. Additionally, 14 recommendations from prior FISMA audit reports remain open, and the audit warned that failure to address these could lead to a decline in the program’s maturity rating in 2025.
