GAO: Security lapses jeopardize feds' personal info

Weak access controls are creating the potential for users to misuse, alter and disclose federal employees' sensitive personnel and financial information stored on National Finance Center computer systems, according to a new General Accounting Office report.

NFC, a part of the Agriculture Department, operates systems such as payroll/personnel and accounting systems for the USDA and for about 60 other federal organizations. NFC also maintains records for the Thrift Savings Program, a type of 401(k) program for federal employees.

GAO concluded that NFC's access control problems "placed sensitive personnel information at risk of disclosure, critical financial operations at risk of disruption and assets at risk of loss." Logical, system software and physical access controls are designed to protect computer data from unauthorized access or modification.

Specifically, GAO found that NFC was giving legitimate users too much access to financial and sensitive personal information. For example, GAO found that 86 users had the ability to read and alter any data stored on tape regardless of other security software controls in place. NFC has said it has taken steps to limit this access, according to the report.

In addition, GAO found that users could bypass access controls and gain unauthorized access to financial and other sensitive data maintained by NFC - or cause failures. For example, the system software that controls batch processing allowed users with the ability to execute a batch program to bring down the system or turn off features such as the security software.

NFC also did not adequately manage user identifications and passwords, control access to its systems from remote locations or monitor system activity so that network attacks could be detected immediately, the GAO found. In addition, more than 120 people had unnecessary access to NFC's computer room and tape library.

Robert Dacey, director of consolidated audit and computer security issues at GAO, said GAO did not look for or find specific instances of actual fraud, disclosure or misuse of information. The GAO report supplements a USDA inspector general report to be released soon.

NFC said it agreed with the findings, corrected most of the items identified already and planned corrective actions for the rest of those items. "We already have firewalls in place," said Archie Bertrand, chief of the Information Systems Security Office at NFC. "We're putting in external and internal intrusion-detection systems and are also running self-assessments to identify vulnerabilities that have been developed during the course of ongoing [system] maintenance."

Gary Millet, chief of the systems review office at NFC, said the agency has reduced the number of employees that had access to certain information. For example, NFC no longer allows broad access to files that control certain access privileges and audit trail information, the report stated.

A spokeswoman for Sen. Richard Lugar, (R-Ind.) chairman of the Senate Agriculture Committee, said although the findings are serious, the committee has been assured that NFC is working to address the concerns in the report.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.