The Consumer Financial Protection Bureau’s (CFPB) overall information security program is ineffective, and the agency continues to face challenges safeguarding and tracking its IT equipment, according to two recent reports from the CFPB’s Office of Inspector General (OIG).
In its Oct. 31 audit, the OIG said the bureau’s information security program decreased from a level-4 maturity (managed and measurable) to a level-2 maturity (defined) in fiscal year 2025.
According to the report, the OIG said the CFPB failed to maintain authorizations to operate for many of its systems and relied on “risk acceptance memorandums without a documented analysis of cybersecurity risks.”
According to the audit, this issue has been compounded by the loss of contractor resources that support information security continuous monitoring and testing activities, as well as the departure of agency personnel.
“We further concluded, based on the results of our determinations of effectiveness in each domain and function, that the CFPB’s overall information security program is not effective,” the report says.
The OIG recommended improvements to the CFPB’s information security program in the areas of cybersecurity profiles, security authorizations, and continuous information security monitoring. In response, CFPB officials concurred with the recommendations.
Days later, on Nov. 4, the OIG released a separate report focusing on the CFPB’s physical management of IT assets, which found large quantities of unused laptops, tablets, and smartphones stored across nine rooms at CFPB headquarters.
Of the 6,460 devices in the agency’s inventory, 1,671 were unassigned, with 926 “pending disposal.” The OIG found that equipment awaiting disposal was stored “loosely arranged” and oftentimes mixed with active devices, raising concerns of CFPB disposing of “laptops still containing CFPB data.”
Additionally, IT assets were often stored in rooms “without adequate security controls, increasing the risk of theft of CFPB data.”
The watchdog recommended that the bureau update policies to schedule timely disposals, label and separate devices with hard drives, and establish systematic methods for organizing IT assets. CFPB officials concurred with the recommendations.
Notably, the OIG also warned that in light of CFPB’s ongoing workforce reduction, “the agency is likely to see an influx of thousands of IT assets returned.”
“Such a possibility could create significant information security risks,” the report says, adding, “Without processes to reduce and systematically store its IT inventory, [CFPB] may not be able to keep pace with the amount of incoming assets to ensure that data is properly removed, assets are tracked and secured, and disposal occurs as needed.”