Enhancing the FDIC's IT Security
Information technology (IT) is an essential component in virtually all FDIC business processes. This integration with the business provides opportunities for efficiencies, but also requires an awareness of potential risks. In 2018, the Chief Information Officer Organization focused its efforts on addressing cybersecurity risk, strengthening infrastructure resiliency, and improving IT governance.
Addressing FDIC Cybersecurity Risk
The FDIC’s Information Security Program is critical to the agency’s ability to carry out the mission of maintaining stability and public confidence in the nation’s financial system. The Information Security Program relies on effective and efficient cybersecurity practices that are designed to detect, identify, respond, and recover from cybersecurity incidents as rapidly as possible with minimal disruption to stakeholders, and to protect against future incidents. The FDIC continues to strengthen and expand its cybersecurity program and practices.
On May 11, 2017, the President issued an Executive Order 13800 entitled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The Executive Order builds on existing statutory requirements under the Federal Information Security Modernization Act of 2014, which establishes information security obligations for Federal agencies (including the FDIC). Subsequent to the issuance of the Executive Order, OMB issued Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, M-17-25 (May 19, 2017) to provide agency heads with instructions for meeting the risk management reporting requirements in the Executive Order. To fulfill these requirements and strengthen cybersecurity, the FDIC:
- Reorganized the Information Security function by creating the Office of the Chief Information Security Officer, which includes a new Deputy Chief Information Security Officer position and a new Privacy Section Chief position that report directly to the Chief Information Security Officer;
- Implemented the Cybersecurity Framework (CSF) according to OMB M-17-25 requirements;
- Conducted the CSF cybersecurity assessment to capture, assess, report, and monitor the current state of FDIC cybersecurity controls;
- Established an agency-wide Incident Response Plan;
- Updated the agency’s Breach Response Plan to address new federal policy requirements; and
- Developed and submitted the Annual Risk and FISMA Reports for 2018.
Cybersecurity continues to be a top management priority at the FDIC. During 2018, the FDIC has taken a number of actions to enhance and improve our risk management practices.
We developed and implemented an Information Security and Privacy Strategic Plan to guide our efforts through 2021. This plan aligns with the FDIC Information Technology Strategic Plan: 2017 – 2020, and defines the core strategies needed to sustain and improve the FDIC’s cybersecurity posture.
To operationalize the strategy, the FDIC implemented a risk management function and assigned program; and executive-level officials to manage information risk. Ensuring that leaders are accountable for the effective planning, implementation, and monitoring of risk management enables the FDIC to identify, prioritize, communicate, and sustain the information security and privacy controls required to mitigate cybersecurity risks across the agency.
Strengthening Infrastructure Resiliency
Infrastructure resilience requires that the FDIC be able to provide and maintain an acceptable level of service in the face of threats and challenges to normal computer and network operations. Threats and challenges for services can range from simple misconfigurations, unforeseen large scale natural disasters, to targeted attacks. The FDIC works to ensure that its infrastructure can anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.
In 2018, the FDIC launched a comprehensive initiative to expand and enhance its existing disaster recovery and business continuity capabilities to ensure that designated IT systems and applications that support mission-essential functions can be recovered within targeted timeframes. As part of this multi-year project, the FDIC is migrating key IT systems and applications to a new and larger backup data center (BDC). This effort will help mitigate the current risk posed by the geographic proximity of the FDIC’s BDC to its primary data center.
The new facility will enhance security capabilities that are not available at the current recovery site, including enterprise logging, vulnerability identification, file integrity monitoring, forensic analysis, threat management, and security operational risk management. These security enhancements will allow security operations and other key security functions to be carried out at the new site without interruption, in the event of a failure or other contingency at the primary data center. The new BDC will also provide flexibility and scalability for future growth and increased computing requirements. It will also accommodate potential future changes in the configuration of the network and provide connectivity to cloud providers.
Additionally, the new BDC will provide for the rapid restoration (failover) of mission-critical business applications. Restoration processes will be automated to minimize manual intervention, and equipment will be maintained in a higher availability mode to enable faster restoration. As a result, the FDIC will be better positioned to preempt and rapidly recover from an outage or threat.
Improving IT Governance
The purpose of IT governance at the FDIC is to ensure that IT resources are used effectively and efficiently to achieve the FDIC’s goals and mission. IT governance enables the alignment of the FDIC’s strategies and goals with IT services, infrastructure, and environment.
During 2018, the FDIC implemented changes to enhance, consolidate, and streamline IT governance processes. The Security and Enterprise Architecture Technical Advisory Board (SEATAB) was established, (replacing three other groups) and became the one governance body that was chartered to oversee and manage all architecture and technical decisions around FDIC’s technology infrastructure, platforms, systems, and applications.
The implementation of the SEATAB was just one of the changes made in IT governance. The Chief Information Officer (CIO) Council charter was also revised to include increased business division membership. The CIO Council is the principal advisory body to the CIO, with members having the delegated authority to agree to and authorize IT decisions on behalf of the division or the office that the member represents.
Additionally, an IT Operating Committee Sub-Charter was established to reflect its strategic role in IT governance. The Operating Committee also assumed the responsibilities of the Intelligence and Critical Infrastructure Protection Committee (ICIPC). The Operating Committee, as the executive leadership of FDIC divisions and offices, is consulted and informed on corporate-wide IT matters. This ensures that there is consensus on those IT decisions that impact business priorities and corporate-wide operations and that these decisions are in the best interest of the FDIC.
The changes made in IT governance, along with the use of the IT Decision Framework which serves as the foundation for IT architecture, development policies, and standards decisions ensure the integration and alignment of the FDIC information technology and security management processes with the agency’s strategic planning.
Insider Threat and Counterintelligence Program
An insider threat is a concern or risk posed to the FDIC that involves an individual who misuses or betrays, wittingly or unwittingly, his or her authorized access to FDIC resources. This individual may have access to sensitive or personally identifiable information, as well as privileged access to critical infrastructure or business sensitive information (e.g., bank data).
The FDIC established the Insider Threat and Counterintelligence Program (ITCIP) in September 2016. ITCIP is a defensive program focused on preventing and mitigating internal and external threats and risks posed to FDIC personnel, facilities, assets, resources, and both national security and sensitive information by insider and foreign intelligence entities. These threats may involve inadvertent disclosures and intentional breaches of sensitive information by personnel who may be compromised by external sources, disgruntled, seeking personal gain, intending to damage the reputation of the FDIC, or acting for some other reason. ITCIP leverages both physical and logical safeguards to minimize the risk, likelihood, and impact of an executed insider threat.
The National Insider Threat Task Force (NITTF) initiated its Federal Program Review in January 2017 to ensure the FDIC’s implementation of the White House minimum standards. NITTF’s independent evaluation showed that FDIC’s ITCIP met all minimum standards and achieved full operating capability. NITTF also noted that FDIC’s ITCIP leads the federal government in several best practices that affect the entire workforce and serves as a model program for other independent regulators and non-Title 50 departments and agencies. The FDIC is moving forward with several important new steps to further advance the agency’s ITCIP during 2019 and beyond.