2017 Annual Report
I. Management’s Discussion and Analysis
The Year in Review
ENHANCING THE FDIC’S IT SECURITY
FDIC Information Technology Strategic Plan
Information Technology (IT) is a key enabler in ensuring the success of FDIC’s core programs. Further, the FDIC must ensure that strong security and privacy controls protect the information used in the course of carrying out its responsibilities. In 2017, representatives from the Chief Information Officer Organization (CIOO) and the FDIC’s business divisions contributed their insight and knowledge of IT challenges and opportunities with the four core principles that IT service delivery is secure, affordable, forward-thinking, and better prepares the FDIC to carry out its mission. As a result, the FDIC Information Technology Strategic Plan (ITSP) 2017-2020 was developed to address many of the foundational issues affecting the cost and quality of IT services.
The ITSP goals are in the areas of information security and privacy, continuity of operations, enterprise mobility, information management and analytics, and IT service delivery. The ITSP identifies opportunities for the FDIC to improve internal operations in a world of ever changing technology. The plan identifies the five major goals with supporting objectives designed to improve business capabilities and systems:
- Improve information security and privacy protections against cyber threats and data breaches;
- Ensure that the IT systems supporting mission essential functions are continuously available and provide depositors confidence that their funds are readily available in the event of a crisis or bank failure;
- Develop mobile technologies that offer opportunities for authorized users of FDIC applications to conduct their work in new ways and from remote locations;
- Create new information management and analysis capabilities to assess risk in support of the FDIC’s supervisory responsibilities; and
- Improve service delivery and timely response to new business requirements. New capabilities serve both long-term institutional improvements, and the FDIC’s readiness in the event of unexpected challenges.
Achieving these goals will significantly improve FDIC operations and the value the FDIC provides to the nation’s financial system. During 2017, the FDIC advanced a variety of initiatives to begin fulfilling the goals set for in this plan.
Addressing FDIC Cybersecurity Risk
The FDIC is committed to strengthening and managing effective and efficient cybersecurity practices. At the foundation of these practices is risk management, which serves to proactively identify, protect, detect, and respond to threats, as well as to rapidly recover from cybersecurity incidents. During 2017, the FDIC has taken a number of actions to enhance and improve our risk management practices.
The FDIC addressed cybersecurity risk as a critical element of the ITSP. This strategic focus emphasizes the importance of cybersecurity to the mission and prompts tangible actions to sustain and improve our cybersecurity posture. To operationalize the strategy, the FDIC implemented a risk management function and assigned program- and executive-level officials to manage information risk. Ensuring that leaders are accountable for the effective planning, implementation, and monitoring of risk management enables the FDIC to identify, prioritize, communicate, and sustain the controls required to mitigate cybersecurity risks across the agency.
On May 11, 2017, the President issued an Executive Order entitled Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The Executive Order builds on existing statutory requirements under the Federal Information Security Modernization Act of 2014 (FISMA), which establishes information security obligations for federal agencies (including the FDIC).
Subsequent to the issuance of the Executive Order, the Office of Management and Budget issued Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, to provide agency heads with instructions for meeting the risk management reporting requirements in the Executive Order. To fulfill these requirements to strengthen cybersecurity, the FDIC:
- Designated, and reported on, the Senior Accountable Official (SAO) for cybersecurity risk;
- Developed and submitted the FY17 Annual Risk and FISMA Reports;
- Conducted a CIOO Cybersecurity Framework (CSF) self-assessment which assessed the current state of FDIC cybersecurity controls; and
- Used the identified risks from the CIOO CSF assessment and FDIC FISMA reports to develop and submit an action plan for implementing the CSF.
Furthermore, the FDIC is restructuring corporate-wide information security guidance through the issuance of a new Information Security Policy Framework, which will align FDIC information security to industry-leading best practices, and will comply with recent cybersecurity requirements issued by the President and the U.S. Office of Management and Budget (OMB). Transitioning to the new framework will make it easier for FDIC personnel to identify applicable guidance and highlight policy areas needing improvement. The reorganization of policy information is still underway with completion expected in mid-2018.
Mobility and Strengthening of Endpoint Devices
The Enterprise Mobility objective is a comprehensive effort to deploy mobile technologies that enable FDIC authorized users to conduct their work in ways that improve efficiency and increase flexibility. This capability provides FDIC users with the ability to work securely, from any location at any time, on FDIC-owned equipment. During 2017, FDIC completed a variety of projects to support this objective, including:
- Laptop deployment — phased out desktops, eliminated use of personal computers, and issued identical and more secure government furnished equipment;
- Smartphone deployment — replaced FDIC-issued blackberry mobile devices with modern smartphones to expand mobile workforce capabilities while enhancing security; and
- Mobile Device Management (MDM) technology — implemented a FedRAMP1-compliant, cloud-based MDM solution to manage FDIC mobile devices.
Insider Threat and Counterintelligence Program
An insider threat is a concern or risk posed to the FDIC that involves an individual who misuses or betrays, wittingly or unwittingly, his or her authorized access to FDIC resources. This individual may have access to sensitive or personally identifiable information as well as privileged access to critical infrastructure or business sensitive information (e.g., bank data).
The FDIC established the Insider Threat and Counterintelligence Program (ITCIP) in September 2016. ITCIP is a defensive program focused on preventing and mitigating internal and external threats and risks posed to FDIC personnel, facilities, assets, resources, and both national security and sensitive information by insider and foreign intelligence entities. These threats may involve inadvertent disclosures and intentional breaches of sensitive information by personnel who may be compromised by external sources, disgruntled, seeking personal gain, intending to damage the reputation of the FDIC, or acting for some other reason. ITCIP leverages both physical and logical safeguards to minimize the risk, likelihood, and impact of an executed insider threat.
The National Insider Threat Task Force (NITTF) initiated its Federal Program Review in January 2017 to ensure the FDIC’s implementation of the White House minimum standards. NITTF’s independent evaluation showed that ITCIP met all minimum standards and achieved full operating capability on August 24, 2017. NITTF noted that ITCIP leads the federal government in several best practices that affect the entire workforce and serves as a model program for other independent regulators and non-Title 50 Departments and Agencies.
1The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies have been directed by the Office of Management and Budget to use to ensure security is in place when accessing cloud computing products and services.