WASHINGTON—A federal watchdog says the Trump administration’s sustained downsizing of the Consumer Financial Protection Bureau has left the agency’s information security program ineffective.
In a new audit of the CFPB’s cybersecurity posture, the Federal Reserve’s Office of Inspector General reported that the Bureau has fallen behind on renewing authorizations to operate numerous systems and is “using risk acceptance memorandums without a documented analysis of cybersecurity risks,” FedScoop reported.
As a result, the Fed OIG said the CFPB’s information security program slipped to a level-2 “defined” maturity rating in fiscal 2025, down from level-4 “managed and measurable,” marking a significant decline in its cybersecurity rigor, FedScoop stated.
“We further concluded, based on the results of our determinations of effectiveness in each domain and function, that the CFPB’s overall information security program is not effective,” the IG wrote.
Backsliding on these security measures can be at least partially attributed to a loss of contractor support for continuous security monitoring and testing, per the audit, as well as the mass exodus under the Trump administration of CFPB staff, FedScoop noted.
“As such, the CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” the audit noted.
Even with significant staffing shortages, the OIG noted that remaining CFPB personnel have taken “some steps to maintain and strengthen its information security program.” The audit highlighted newly formalized ransomware-response procedures and weekly meetings between the agency’s senior information security officer and system owners to manage cyber risks, FedScoop explained.
The CFPB is also moving to retire and modernize legacy IT systems, the report said, though some software in use is now so outdated that vendors no longer provide security patches or updates, FedScoop added.