The quality of the CFPB’s information security program “has decreased since last year, leading us to conclude the program no longer is effective,” the bureau’s Inspector General (IG), said in a report.
The bureau’s overall security program has decreased from “manageable and measurable” to “defined,” the IG said in an annual audit conducted between April 2025 and October 2025, which is only one step above the lowest security rating. This is significant, as data maintained by the CFPB includes personally identifiable information on consumers and confidential supervisory information on companies.
“The CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” according to the report.
The current problem has been exacerbated by the Trump Administration’s efforts to downsize the agency, the IG said. According to several news reports, Acting CFPB Director Russell Vought recently said on the “Charlie Kirk Show” that he thinks he will be successful in shutting down the CFPB in the next two or three months.
Problems at the CFPB have been compounded by the loss of contractors supporting information security monitoring and testing activities, according to the IG. About 65% of the individuals supporting the CFPB’s information security program at the start of 2025 were contractors, according to the IG. By the end of February, that figure had dropped to 25%.
The CFPB’s Enterprise Risk Management (ERM) Program has been placed on hold since the agency’s chief risk officer and other individuals in the ERM office left the agency in March 2025, according to the report. Those positions have not been filled and their responsibilities are not being fully performed, the IG said.
The IG also reported that:
- The CFPB is not maintaining its authorizations to operate for many systems and is using risk acceptance memorandums without a documented analysis of cybersecurity risks.
- The CFPB continues to use outdated software on its network for which vendors are no longer providing security updates and patches, according to the IG. The main reason for that is the delay in modernizing, researching and retiring legacy applications. That problem also had been pointed out to bureau officials in the past. “Continued Use of End-of-Life Software Increases the Risk to Sensitive CFPB Data and Systems.”
- The CFPB could strengthen its information security program by using cybersecurity profiles to evaluate, tailor and prioritize its cybersecurity approach. “Specifically, we believe that the use of profiles can help the agency align its cybersecurity program and control structure with the future state of the agency and the sensitive data it maintains.”
- Despite constraints, the CFPB was able to update its processes to respond to potential ransomware and transitioned toward a continuous vetting model for employee background checks. In addition, the senior information security employee continued to meet with system owners on a weekly basis, while the bureau also is decommissioning and modernizing its legacy technology systems.
The IG made several technical recommendations. While the CFPB agreed with the IG recommendations, it disputed the notion that it has a lax information security posture.
