Skip to Primary Navigation

Fed OIG downgrades CFPB cybersecurity assessment to second-lowest level

CFPB headquarters
Photo: Philip Yabut/Getty Images

Failure to maintain ATOs and lack of documentation key factors in decision.

The information security program of the Consumer Financial Protection Bureau (CFPB) is “not effective” and its maturity level has been downgraded to Level 2 (Defined). The move has been made by the Federal Reserve Board Office of Inspector General (OIG), which released its 2025 Federal Information Security Modernization Act (FISMA) audit

Level

Get full access, free for a month

Start your 28-day free trial to continue reading and access
all content on GRIP – no payment details required.

What’s included:

  • Every new article, plus our 5,000+ archive
  • Daily regulatory insight and guidance
  • Exclusive interviews and in-depth analysis
  • Coverage of industry-leading events and conferences
  • All podcasts and videos, featuring industry experts
  • The full set of Rules Navigator tools
  • An ad-free experience