GAO: Security lapses jeopardize feds' personal info

Weak access controls are creating the potential for users to misuse, alter and disclose federal employees' sensitive personnel and financial information stored on National Finance Center computer systems, according to a new General Accounting Office report.

NFC, a part of the Agriculture Department, operates systems such as payroll/personnel and accounting systems for the USDA and for about 60 other federal organizations. NFC also maintains records for the Thrift Savings Program, a type of 401(k) program for federal employees.

GAO concluded that NFC's access control problems "placed sensitive personnel information at risk of disclosure, critical financial operations at risk of disruption and assets at risk of loss." Logical, system software and physical access controls are designed to protect computer data from unauthorized access or modification.

Specifically, GAO found that NFC was giving legitimate users too much access to financial and sensitive personal information. For example, GAO found that 86 users had the ability to read and alter any data stored on tape regardless of other security software controls in place. NFC has said it has taken steps to limit this access, according to the report.

In addition, GAO found that users could bypass access controls and gain unauthorized access to financial and other sensitive data maintained by NFC - or cause failures. For example, the system software that controls batch processing allowed users with the ability to execute a batch program to bring down the system or turn off features such as the security software.

NFC also did not adequately manage user identifications and passwords, control access to its systems from remote locations or monitor system activity so that network attacks could be detected immediately, the GAO found. In addition, more than 120 people had unnecessary access to NFC's computer room and tape library.

Robert Dacey, director of consolidated audit and computer security issues at GAO, said GAO did not look for or find specific instances of actual fraud, disclosure or misuse of information. The GAO report supplements a USDA inspector general report to be released soon.

NFC said it agreed with the findings, corrected most of the items identified already and planned corrective actions for the rest of those items. "We already have firewalls in place," said Archie Bertrand, chief of the Information Systems Security Office at NFC. "We're putting in external and internal intrusion-detection systems and are also running self-assessments to identify vulnerabilities that have been developed during the course of ongoing [system] maintenance."

Gary Millet, chief of the systems review office at NFC, said the agency has reduced the number of employees that had access to certain information. For example, NFC no longer allows broad access to files that control certain access privileges and audit trail information, the report stated.

A spokeswoman for Sen. Richard Lugar, (R-Ind.) chairman of the Senate Agriculture Committee, said although the findings are serious, the committee has been assured that NFC is working to address the concerns in the report.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.