�౦��Ϸ����

�౦��Ϸ���� Cybersecurity Program

Congress created the �౦��Ϸ���� in the Banking Act of 1933 to maintain stability and public confidence in the nation’s banking system. Cybersecurity is a key element for the success of �౦��Ϸ����’s core programs. The �౦��Ϸ���� has implemented a cybersecurity program that aligns to the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) to safeguard information and information systems. The �౦��Ϸ���� has also implemented a Risk Management Framework (RMF) that is consistent with National Institute of Standards and Technology (NIST) guidance to identify, assess, implement and monitor security and privacy controls.

FISMA

The �౦��Ϸ����’s Cybersecurity Program aligns to the requirements of the Federal Information Security Modernization Act of 2014 (FISMA).

FISMA amended the Federal Information Security Management Act of 2002 by providing several modifications that modernize federal security practices to address evolving security concerns. As part of FISMA, Federal agencies, including the �౦��Ϸ����, must provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:

• Information collected/maintained by or on behalf of an agency.
• Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

In addition, Federal agencies must comply with the information security standards and guidelines developed by the National Institute of Standards and Technology (NIST). The �౦��Ϸ���� partners with the broader Federal community to strengthen our cybersecurity posture.

Risk Management Framework

The �౦��Ϸ���� has implemented a Risk Management Framework (RMF) that is consistent with National Institute of Standards and Technology (NIST) guidance to identify, assess, implement and monitor security and privacy controls. The �౦��Ϸ����’s RMF provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The �౦��Ϸ����’s RMF enables a risk-based approach to control selection and implementation to support and efficient and effective prioritization of security resources.

The �౦��Ϸ����’s RMF is comprised of seven key steps:

• Prepare: System requirements and the target system architecture are documented to support the subsequent steps of the RMF.
• Categorize: An impact analysis is conducted to categorize information systems based on FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
• Select: The FIPS 199 impact level determined during the categorization step dictates the appropriate baseline set of security controls for the system. NIST Special Publication (SP) 800-53 Rev 5 (Security and Privacy Controls for Information Systems and Organizations) specifies a minimum set of security controls for each of the FIPS 199 impact levels.
• Implement: The controls identified in the Select step are implemented.
• Assess - An independent security controls assessment is completed to ensure that controls are implemented as designed and operating as intended.
• Authorize - Following the independent security control assessment, the information system is granted an Authorization to Operate (ATO) by the �౦��Ϸ����’s Chief Information Officer (CIO). �౦��Ϸ���� systems are not deployed into production without an ATO.
• Monitor - After deployment, systems enter the �౦��Ϸ����’s continuous monitoring program. Any changes to a system are reviewed through a Security Impact Analysis (SIA) process prior to deployment. Systems are also subject to periodic control assessments.

Vulnerability Disclosure Program

The �౦��Ϸ���� encourages security researchers to contact us to report potential vulnerabilities identified in �౦��Ϸ���� systems. FFor more information on reporting potential security vulnerabilities, see the �౦��Ϸ���� Vulnerability Disclosure Policy.

Privacy Program

Privacy is a priority at the �౦��Ϸ����. The �౦��Ϸ���� maintains a Privacy Program that supports the �౦��Ϸ����’s mission by managing privacy risks and ensuring compliance will applicable privacy requirements. For more information on the �౦��Ϸ����’s Privacy Program, see the Privacy Program page.