Lack of security
IG Memo: FDIC’s Wireless Solution for Creating Temporary Wi-Fi Networks Lacks Security Authorizations
In a memorandum released Tuesday, the IG cited “Concerns Related to the FDIC’s Pending Authorization to Operate Its External Wireless Network Solution Cloud Service,” emphasizing that the wireless solution allows users to “set up, monitor and configure wireless networks” using a cloud-based service, Nextgov reported.
The solution, originally developed in 2017, helps the FDIC’s Division of Resolutions and Receiverships establish secure Wi-Fi networks during bank closings.
Now, the solution is being used by other FDIC units, including the Corporate University, which used it for exams that include web-based components.
In early 2018, the FDIC was set to receive the solution’s approval from the Security and Enterprise Architecture Technical Advisory Board. However, the SETAB told the DIT that the program did not fit the National Institute of Standards and Technology’s cloud service definition. The board then suggested that the tool be categorized as an “outsourced solution” – a designation that did not require an authority to operate.
The DIT underwent the Outsourced Solution Assessment Methodology for the wireless solution and claimed in early 2019 that the tool was ready to enter the production environment for use.
However, the NIST made changes to its risk management framework in 2018, making the OSAM program redundant by adding supply chain risk management to the RMF process.
In June 2020, cybersecurity officials rescinded the OSAM approval for the wireless solution, saying that the program requires an official ATO.
According to the IG memo, the program office for the solution started the process for getting the ATO by reaching out to the vendor. “The vendor, however, was not able to provide sufficient documentation to support an ATO,” the FDIC IG found.
The IG suggested that the FDIC Chief Information Officer Organization consider whether additional actions should be taken for the wireless solution pending ATO.
Additionally, the IG said that while the absence of an ATO is concerning, its report notes that the FDIC has not had any business need to use the wireless solution since February 2020.
Tags: ATO cybersecurity DIT Division of Information Technology FDIC Federal Deposit Insurance Corporation IG inspector general Nextgov NIST wireless networks