Oversight

FDIC still weak on IT security, GAO says

Shutterstock image (by Pavel Ignatov): Alert icon.

The Federal Deposit Insurance Corp.'s IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk," the Government Accountability Office said in a new report.

FDIC, whose charge is maintaining public confidence in financial institutions, lacked an effective process for verifying user access to FDIC systems, the report said. The agency also failed to apply "critical" patches to third-party software vulnerabilities on financial-processing systems, the watchdog found.

GAO noted some progress in the agency's security regime. FDIC had, for example, improved controls for authenticating users and authorizing their access.

Nonetheless, some aspects of the agency's IT security program were not fully implemented, according to GAO. For example, the agency still lacked "a policy for monitoring critical file changes" to a server, the report said, recommending that the FDIC CIO implement such a policy.

Additionally, the report found that sensitive data including user identifications and passwords "continue to be transmitted over the network in clear text," because encryption hasn't been implemented for all FDIC mainframe connections.

FDIC "will have limited assurance that its sensitive financial information and resources will be secure" until longstanding and newfound vulnerabilities are addressed, the watchdog concluded.

The GAO report comes amid a congressional investigation of several breaches, which involved the inadvertent downloading of data by ex-FDIC employees, that the agency has retroactively deemed "major" incidents.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.