According to TheRegister.com, the Consumer Financial Protection Bureau’s cybersecurity program has been deemed “not effective” in a damning new audit from the Office of the Inspector General. The agency’s cybersecurity maturity plummeted from level-4 down to level-2, with 35 systems currently operating either with expired authorizations or without ever undergoing proper security reviews. The audit found the CFPB failed to establish cybersecurity risk profiles and continues using outdated software that no longer receives security updates. Contractor support for security monitoring dropped from 66% to just 25% after terminations, compounded by significant government staff departures. The agency largely agreed with the findings but disputed some characterizations as “misleading.”
Sponsored content — provided for informational and promotional purposes.
What actually went wrong
Here’s the thing about cybersecurity maturity levels – dropping from level 4 to level 2 is basically like going from having a sophisticated security operation to basically just checking boxes. Level 4 means you’re actually measuring and managing your security posture. Level 2? You’ve defined what you should be doing, but you’re not actually doing it consistently.
The real shocker here is those 35 systems running without proper authorization. We’re talking about systems that handle personal information, confidential investigations, and supervisory data – the exact stuff you’d want locked down tight. Instead, they’re relying on Risk Acceptance Memorandums, which are basically management saying “we know this is risky but we’re doing it anyway” without the full security assessment that should accompany that decision.
Staff exodus cripples security
Now, the CFPB isn’t exactly hiding from these findings. They acknowledge the problems but point to resource constraints as the root cause. And honestly? They’ve got a point. Losing 66% to 25% of your contractor support in a matter of months would devastate any security program. When you combine that with government staff leaving too, you’ve got a perfect storm.
But here’s what bothers me – the CFPB’s response that many systems are “very low risk” feels like they’re trying to downplay the severity. The OIG pushed back, noting most systems are actually moderate risk and do contain sensitive data. It’s that classic government dance where everyone agrees there’s a problem but disagrees on how bad it really is.
Bigger picture problems
This isn’t just a CFPB problem – it’s part of a broader pattern of federal cybersecurity struggles amid budget cuts and staffing challenges. The timing aligns perfectly with the Trump administration’s efforts to cut the CFPB’s workforce by about 90%, which would have meant roughly 1,500 positions. Similar cuts hit CISA and other agencies, and now we’re seeing the consequences.
Think about it – when you’re losing that much institutional knowledge and manpower, how can you possibly maintain continuous security monitoring? You can’t. The people who understood the systems, knew the risks, and could spot problems are gone. And replacing that expertise takes time and money that apparently isn’t available.
What happens next
The CFPB says they’re working to redeploy staff from other offices to fill these gaps, but that’s like asking accountants to do cybersecurity work. It might help with the manpower shortage, but it doesn’t solve the expertise problem. Meanwhile, they’re still running software that’s reaching end of life in 2024 – which is basically an open invitation to attackers.
So where does this leave consumers whose data the CFPB is supposed to protect? In a pretty vulnerable position, honestly. When the agency responsible for financial consumer protection can’t even protect its own systems, that should worry everyone. The six recommendations from the OIG report need immediate attention, but with current resource levels, I’m skeptical we’ll see meaningful improvement anytime soon.
