Fed Inspector General: Board needs policies for sensitive information

federal-reserve-bank
The Federal Reserve Office of the Inspector General released a report Thursday saying that the board of governors lacks sufficient guidance on the handling of controlled unclassified information and recommended that such policies be developed and adopted.
Bloomberg News

The Federal Reserve Board of Governors lacks sufficient standards for how its staff handles certain types of sensitive information, according to findings from its internal watchdog.

The Fed's Office of Inspector General issued a report Thursday highlighting the central bank's lack of policies around how to safeguard so-called controlled unclassified information, or CUI, a label that applies to sensitive government information that does not rise to the level of classified. 

Fed officials agreed with the findings and told the inspector general that they have already taken steps to address the situation. 

During a yearlong review of the Fed's intelligence systems, which ran from October 2022 to October 2023, auditors from the inspector general's office interviewed officials from five divisions under the board of governors that frequently deal with CUI, including the legal division and information technology division. 

According to the report, no staffers were aware of any guidelines around handling such information and several expressed concern about their absence.

"Specifically, one official indicated that the lack of CUI guidance is a potential gap in Board guidance," the report states. "Officials from multiple Board divisions agreed that including some information on CUI safeguarding in Board guidance and training would be helpful."

The board's IT division does have a set of policies on how to handle the board's printed and digital information, known as the Information Classification and Handling Standard. These rules outline how staff should classify and protect various types of information the board generates and receives. But, according to the report, these rules do not address CUI.

The report noted that the Fed's standards largely apply to sensitive information created by the board, but does acknowledge that some information received may be subject to different and more stringent requirements. 

For external sensitive information shared with the board, officials told auditors that staff are instructed to follow handling guidelines set out by the transmitting agency. But, the report notes that investigators were "unable to locate such instructions in a Boardwide information policy or annual training."

The report instructs the board's chief information officer to update Information Classification and Handling Standard to include examples of the types of CUI that might be received from other agencies and to spell out the Fed's current expectations on protecting this type of information. It also calls for training standards to be updated to increase the awareness of CUI. 

The CUI designation is a product of the Obama administration and stems from an initiative undertaken by President George W. Bush following the terrorist attacks of Sept. 11, 2001. Prior to these efforts, the ways different government agencies identified, handled and shared information that was sensitive — but not confidential — varied widely.

"This patchwork approach resulted in federal agencies marking and handling this information inconsistently, implementing unclear or unnecessarily restrictive disseminating policies, and creating obstacles to information sharing," the inspector general report states.

The Fed's IT division has committed to issuing an updated version of its Information Classification and Handling Standards by the end of this month. 

For reprint and licensing requests for this article, click here.
Regulation and compliance Politics and policy
MORE FROM AMERICAN BANKER