The Consumer Financial Protection Bureau (CFPB) did not fully assess and authorize all of its cloud systems and did not effectively communicate with the FedRAMP program management office, leaving its cloud security at risk, according to an inspector general report published July 17.
The report found that one of the agency’s cloud systems supporting call center operations was not properly assessed and did not receive an authorization to operate (ATO) before the agency began use. The system was deployed “because of an overreliance on vendor-provided security information and operational priorities,” the report noted.
The inspector general recommended that the agency ensure that all analysis and authorization activities are completed before putting a system into production, and that agency-specific authorizations continue to be used. The bureau concurred with that recommendation. CFPB is currently analyzing the system and plans to grant an ATO.
The inspector general also found that CFPB did not effectively communicate with the FedRAMP program management office, leading to an incomplete inventory of the agency’s FedRAMP systems. The confusion also led to a lack of timely access to security incident information or continuous monitoring reports.
“These issues, along with other potential deviations from Bureau security practices, could have been flagged through better oversight by the Bureau and effective information sharing with the [program management office] or the [cloud service provider], as appropriate,” the report states.
The inspector general recommended that CFPB ensure that continuous monitoring information is reviewed in a timely manner for all systems, and that the bureau perform a risk assessment for any identified gaps. CFPB’s CIO agreed, and noted that the bureau has deployed a tool to provide management visibility, and has implemented processes to update the program management office in a timely manner.