The Office of Inspector General of the Federal Deposit Insurance Corp. said the FDIC’s security controls in its cloud computing environment are not effectively implemented in five areas: identity and access management, cloud secret protection, patch management, flaw remediation and audit logging.
The audit, conducted in partnership with Sikich, found six common themes of security weaknesses in the FDIC cloud platform, the OIG said Thursday.
According to Sikich, the cloud platform teams did not consistently implement secure coding practices, configure cloud platform security settings per cloud service providers and industry best practices, or provision access to its cloud-based systems in accordance with the principle of least privilege.
The company also found that the platform relied on outdated software components and was not properly monitored by the FDIC and that cloud service providers were solely responsible for causing certain vulnerabilities.
Sikich made recommendations, including designing and implementing a plan to prevent, detect and remediate security weaknesses, to improve cloud security controls.
The FDIC concurred with all recommendations and plans to complete all corrective actions by December 30, 2026.