WASHINGTON — The Federal Deposit Insurance Corp. does not require all its administrative users to log into its systems using multifactor authentication, according to an audit released Friday by the agency's Office of Inspector General.
According to the report, which was produced by the accounting firm Cotton & Co., outside information technology providers contracted by the FDIC are not explicitly mandated to require users to verify their identity with separate pieces of evidence — a baseline cybersecurity standard required by most credit cards, among others.
As a result, those outside IT providers "generally do not require [multifactor authentication] for privileged user access," said the report, citing an FDIC official.
FDIC spokeswoman Barbara Hagenbaugh said that administrative users do not generally use outsourced providers to access FDIC systems.
The audit also said explanations for why multifactor authentication "may or may not be used" by the agency's IT contractors were not "not readily available."
An FDIC official cited in the report said requiring all IT contractors to implement multifactor authentication "poses practical challenges."
"For example," the official said, "vendors would likely use a variety of [multifactor authentication] solutions that the FDIC would need to use and assess."
The FDIC does require its IT contractors to sign security clauses to ensure that the agency's data is "adequately protected from loss, misuse, and unauthorized access or modification," according to the report.
But the clauses do not specify that the IT contractors must use multifactor authentication or other cybersecurity tools at the FDIC's disposal, such as a download-tracking software and network forensics, according to the report.
Information was not "readily available regarding the extent to which the FDIC's outsourced providers used such capabilities," the audit found.
The report also outlined steps the FDIC is taking to modify its cybersecurity controls. The agency last year had decided to allow nonadministrator users to access the network using tokens, which are verification codes generated for each login.
But the FDIC decided to move toward a personal identity verification card — a smartcard for federal employees backed by mandatory security standards.
The FDIC plans to require personal identification cards from all users of its system by 2017, the report said.
In recent months, the FDIC has been the subject of a congressional inquiry into several cybersecurity breaches that involved the theft of sensitive data by departing employees.
On Monday the agency issued a public statement announcing a series of new cybersecurity measures and promising to "remain alert and continue to adjust [its] security controls in light of the changing threat landscape."