U.S. Commodity Futures Trading Commission

The U.S. Commodity Futures Trading Commission (CFTC) faces an enormous challenge in expanding its mission to create a new regulatory system based on the Dodd-Frank regulatory reform while maintaining the security of its information assets. A thorough review of CFTC’s environment against the twenty critical security controls contained in the SANS Consensus Audit Guidelines (CAG), mandated by the Office of Management and Budget (OMB), identified a number of weaknesses that reduce its overall organizational security. Phase One partnered with the CFTC’s Office of Data and Technology (ODT) to address issues in policy, processes, and information technology to implement security controls to significantly thwart security threats and meet reporting requirements. 

Why This Matters To You

The Commodity Futures Trading Commission’s (CFTC) mission is
to protect market users and foster open, competitive, and financially sound derivatives markets. After the 2008 financial crisis and the subsequent enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFTC‘s mission was expanded exponentially. For the first time, the Commission’s oversight included financial instruments: Over-the-Counter (OTC) derivatives, or “swaps,” whose lack of regulation has been identified as a contributor to the crisis.

Ensuring the safety and security of global financial markets is an issue of U.S. economic and ultimately national security. In today’s futures trading environment, electronic trading dominates. The CFTC, also known as the Commission, recognizes that the most advanced technology, policies and procedures in cyber security are essential to effective market oversight. 

How We Helped

Phase One’s cybersecurity team partnered with the CFTC’s ODT, including the Chief Information Officer (CIO), to ensure they are protected against cybersecurity threats both now and in the future, while ensuring continuous monitoring requirements and Federal Information Security Management Act (FISMA ) Reporting Metrics are followed.

The twenty critical controls direct organizations to focus spending on areas that block known attacks and also identify potential new threats, with the emphasis on automating as much of the process as possible. These controls, when married to an organization’s IT strategies and aligned with appropriate resources, enable organizations to develop, operate, and maintain secure information systems.

Phase One brought ODT not only certified technical expertise but also a deep understanding of today’s cybersecurity landscape and knowledge of Federal compliance regulations. Integrating closely with ODT staff, the Phase One /CFTC partnership has improved the overall security posture of the Commission, all while lowering costs and improving their IT effectiveness.