Consumer Financial Protection Bureau’s security falls apart amid layoffs
Summary
The Office of the Inspector General (OIG) audited the Consumer Financial Protection Bureau’s (CFPB) information security programme and found it “is not effective.” Since the previous audit the bureau’s cybersecurity maturity fell from level-4 (managed and measurable) to level-2 (defined). Key failures include missing or expired system authorisations, absence of proper cybersecurity risk profiles, and continued use of unsupported software.
The OIG discovered 35 systems running with expired or missing ATOs/ATUs; 21 of those relied only on risk acceptance memorandums (RAMs) instead of a full authorisation package. The report also flagged use of software beyond end of life and noted resource shortfalls after contractor terminations and staff departures. The CFPB largely concurred with the recommendations and pledged to implement them, while disputing parts of the report’s portrayal of risk levels for some systems.
Key Points
- The OIG concluded the CFPB’s infosec programme “is not effective” and downgraded its NIST maturity from level-4 to level-2.
- The CFPB failed to produce and use cybersecurity risk profiles to define current and target security posture and priorities.
- 35 systems were operating with expired or missing authorisations to operate/use (ATOs/ATUs); 21 relied solely on RAMs without full authorisation packages.
- The agency continues to run unsupported software that no longer receives updates, increasing exploitation risk.
- Resource constraints — contractor terminations and staff departures — eroded continuous monitoring, testing and authorisation activities; contractor support fell from ~66% to ~25% in early 2025.
- The CFPB agreed to implement the six OIG recommendations but disputed parts of the report, noting some systems are low risk or do not contain bureau data.
Context and Relevance
This matters because the CFPB holds and processes sensitive consumer data (personal, investigative and supervisory information). A weaker authorisation process, absent risk profiles and unsupported software increase the bureau’s attack surface and complicate assurance that controls are effective. The findings also reflect broader federal trends: workforce cuts and contract terminations have affected other agencies’ cyber capabilities, and political decisions to reduce capacity have tangible security consequences.
Author style
Punchy: this is more than bureaucratic nitpicking — the audit shows concrete, systemic lapses that lower assurance for systems handling sensitive consumer data. Security teams, policymakers and anyone tracking federal cyber resilience should note the speed and scale of the degradation; the bureau’s response is promising but the gaps are material.
Why should I read this?
Short and blunt — it’s a mess. Key security controls are missing or expired, outdated software is still running, and staffing cuts have hollowed out monitoring and testing. If you care about consumer data safety, federal cyber resilience, or how budget and staffing decisions translate into real risk, this is worth a skim (or a deep read if you manage similar systems).