The Federal Deposit Insurance Corporation (FDIC) took quick action to secure Domain Name System (DNS) services on its websites, meeting the deadlines set out in Emergency Directive 19-01, according to an audit conducted by FDIC’s inspector general and released September 24.
The audit focused on the Emergency Directive 19-01 issued by the Department of Homeland Security (DHS) on January 22, and FDIC’s actions to remediate vulnerabilities. The directive required agencies to audit its DNS records, change DNS account passwords, implement multi-factor authentication, and monitor certificate transparency logs within 10 days.
The audit found that FDIC succeeded in accomplishing these tasks within 10 days, taking “responsive actions” to meet the directive.
“The FDIC completed these actions within 10 business days, as prescribed in the Directive. In addition, the FDIC provided DHS with timely status and completion reports,” the inspector general notes.
FDIC was able to complete these actions by maintaining a complete listing of DNS servers and password holders for the organization, making implementation feasible and quick for the CIO’s office. The agency implemented multi-factor authentication within the timeframe, and followed the existing protocol on certificate transparency to meet DHS’ mandate.