Fed’s OIG releases executive summary of CFPB security control review

cfpbThe Federal Reserve’s Inspector General released last week an executive summary of the findings of its report on the CFPB’s information security controls.

Under the Dodd-Frank Act, the CFPB is required to establish a database to facilitate the collection, monitoring and response to consumer complaints regarding financial products and services. The Consumer Response System was first launched by the CFPB in June 2011 for credit card complaints but has since been expanded to accept complaints related to bank accounts, student loans, mortgages and other consumer loan products.

The 2002 Federal Information Security Management Act requires the Office of the Inspector General to evaluate the effectiveness of information security controls for agency information systems. The purpose of the review was to determine “whether the CFPB established contract solicitation and selection processes that facilitated compliance with applicable rules established by the Federal Acquisition Regulation.”

Since its last review, the OIG said it “found that a number of steps have been taken to secure the CRS,” adding, however, that “improvements are needed to ensure that the requirements of FISMA are met.”

The OIG made nine recommendations, including that the CFPB’s Assistant Director for Procurement develop an internal policy that details how the agency implements FAR requirements. Other recommendations include the finalization, dissemination and implementation of the Small Business Review Form to facilitate FAR compliance in regard to small business implementation and enhance CFPB procedures to require documentation from the program official “justifying urgent procurement requests.”

Comments are closed.