FDIC Cybersecurity Program
Congress created the FDIC in the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. Cybersecurity is a key element for the success of FDIC’s core programs. The FDIC has implemented a cybersecurity program that aligns to the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) to safeguard information and information systems. The FDIC has also implemented a Risk Management Framework (RMF) that is consistent with National Institute of Standards and Technology (NIST) guidance to identify, assess, implement and monitor security and privacy controls.
The FDIC’s Cybersecurity Program aligns to the requirements of the Federal Information Security Modernization Act of 2014 (FISMA).
FISMA amended the Federal Information Security Management Act of 2002 by providing several modifications that modernize federal security practices to address evolving security concerns. As part of FISMA, Federal agencies, including the FDIC, must provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:
- Information collected/maintained by or on behalf of an agency.
- Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.
In addition, Federal agencies must comply with the information security standards and guidelines developed by the National Institute of Standards and Technology (NIST). The FDIC partners with the broader Federal community to strengthen our cybersecurity posture.
Risk Management Framework
The FDIC has implemented a Risk Management Framework (RMF) that is consistent with National Institute of Standards and Technology (NIST) guidance to identify, assess, implement and monitor security and privacy controls. The FDIC’s RMF provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The FDIC’s RMF enables a risk-based approach to control selection and implementation to support and efficient and effective prioritization of security resources.
The FDIC’s RMF is comprised of seven key steps:
- Prepare: System requirements and the target system architecture are documented to support the subsequent steps of the RMF.
- Categorize: An impact analysis is conducted to categorize information systems based on FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
- Select: The FIPS 199 impact level determined during the categorization step dictates the appropriate baseline set of security controls for the system. NIST Special Publication (SP) 800-53 Rev 5 (Security and Privacy Controls for Information Systems and Organizations) specifies a minimum set of security controls for each of the FIPS 199 impact levels.
- Implement: The controls identified in the Select step are implemented.
- Assess - An independent security controls assessment is completed to ensure that controls are implemented as designed and operating as intended.
- Authorize - Following the independent security control assessment, the information system is granted an Authorization to Operate (ATO) by the FDIC’s Chief Information Officer (CIO). FDIC systems are not deployed into production without an ATO.
- Monitor - After deployment, systems enter the FDIC’s continuous monitoring program. Any changes to a system are reviewed through a Security Impact Analysis (SIA) process prior to deployment. Systems are also subject to periodic control assessments.
Vulnerability Disclosure Program
The FDIC encourages security researchers to contact us to report potential vulnerabilities identified in FDIC systems. FFor more information on reporting potential security vulnerabilities, see the FDIC Vulnerability Disclosure Policy.
Privacy is a priority at the FDIC. The FDIC maintains a Privacy Program that supports the FDIC’s mission by managing privacy risks and ensuring compliance will applicable privacy requirements. For more information on the FDIC’s Privacy Program, see the Privacy Program page.