The infosec program run by the US’ Consumer Financial Protection Bureau (CFPB) “is not effective,” according to a fresh audit published by the Office of the Inspector General (OIG).
A summary of the report, dated October 31 and published on Monday, stated that since the OIG’s previous audit, the CFPB’s overall cybersecurity posture has decreased from level-4 maturity, defined as “managed and measurable,” to level-2 maturity – “defined.”
The two main factors adversely affecting the efficacy of its infosec management are sub-par maintenance of system authorizations and its failure to establish cybersecurity risk profiles.
Cybersecurity risk profiles describe an organization’s current and target cybersecurity posture and help prioritize security outcomes based on its policies, risk priorities, and requirements. Multiple profiles may be created for different divisions or data types – for example, systems handling personal or supervisory information.
The OIG noted that while the CFPB has developed tailored security controls and baselines, it has not used cybersecurity risk profiles, or any alternative method, to define and communicate its cybersecurity objectives, target outcomes, or security gaps. The bureau’s 2021 cybersecurity assessment included a basic risk profile, but it lacked the required elements of current and target profiles under the NIST framework.
Noting the fact that the CFPB is responsible for safeguarding data such as personal information, confidential investigative information, and confidential supervisory information, the requirement to maintain up-to-date system authorizations is key.
Each system must be authorized by management, after considering the risk exposure of each against established controls, before entering production.
The OIG’s audit found 35 systems running either with expired ATOs or ATUs (authorizations to operate/use) or without ever undergoing an authorization process.
Of these, 21 were used with risk acceptance memorandums (RAMs), which the CFPB had established but not ATO/ATUs, and did not undergo an authorization process.
Keep up with the acronyms: RAMs are typically a part of what informs an ATO, although the latter is the official yes/no decision made that authorizes a system for secure use.
RAMs only focus on the accepted risks of a system, and they contribute to a wider authorization package that informs the final ATO decision. This package typically comprises additional assessments and plans related to matters such as configuration management, incident response, and more.
With the CFPB only having RAMs and nothing else for some systems, it means that, according to accepted standards, it cannot assure the security of said systems is operating at acceptable levels, or perform reliable ongoing security assessments.
In addition to the two main findings, the OIG also highlighted that the agency continues to knowingly use outdated software that no longer receives updates, and has made no effort to secure extended support warranties.
The OIG alerted the CFPB to a specific software that was reaching end of life in 2024, which continues to operate at the agency today.
The audit drew attention to an unspecified 2023 case in which a federal agency was compromised by attackers exploiting vulnerabilities in unsupported software, to punctuate its point.
CFPB’s responses
The agency largely concurred with all of the issues raised by the report, and promised to implement the six recommendations the report made.
However, it told the OIG that its claim that “the agency has not maintained cybersecurity risk registers” was “misleading.”
It also told the OIG that the report “provides the misleading impression that the Bureau has a lax information security posture.”
It added: “For example, the report states that the CFPB is not consistently completing ATOs or authority to use ATUs, instead using RAMs, which do not properly document risks assessed.”
The CFPB also said that the audit failed to explain that many of its systems are “very low risk and do not contain any Bureau data,” an assertion which the OIG said wasn’t entirely true – most are classified as moderate risk, and others do indeed contain sensitive data.
The Register contacted the CFPB for additional comment and will update this story if we hear back.
Resource constraints
The OIG noted the CFPB’s reduction in resources as an explanation for the poorer ratings this time around.
In this context, resources refer to available contractors and the number of staff who have left the agency – those who were in part responsible for the continuous monitoring and testing activities, and for the use of RAMs.
Contractors comprised around 66 percent of the individuals tasked with supporting its infosec program at the start of 2025.
However, by February, this had dropped to 25 percent after a termination for convenience was issued, and then government staff left the agency, compounding the resource constraints.
This staffing capacity has not since been replenished, although the CFPB said it is in the process of identifying and redeploying staff from other offices to fill these gaps.
The OIG stated: “This decrease resulted from task orders supporting ISCM, security controls testing, and program management activities being either terminated or de-obligated, resulting in the loss of contractor resources. Contractor support for cyber operations was kept. Along with staff departures, these actions have affected the ability of the agency to effectively maintain cybersecurity activities in those areas.”
The audit made no specific mention of government cuts, although these have certainly affected the CFPB, and the above timelines align with the Trump administration’s efforts to scupper the agency it claimed was operating extra-politically prior to his inauguration.
The Trump administration in April announced plans to cut the CFPB’s workforce by about 90 percent – roughly 1,500 positions – amid longstanding criticism that the agency imposed unnecessary regulatory burdens and costs on businesses.
Similar cuts have been made to other agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), and have led to a reported dulling of the US’ cyber capabilities. ®