IG: GSA should check its HR system

The General Services Administration needs to evaluate access controls on its system that contains employees’ personal information, such as performance reviews, according to a recent report.

Jennifer Klimes, audit manager for information technology at GSA’s Inspector General's Office, recommended that agency officials check access to the Comprehensive Human Resources Integrated System (CHRIS) to determine whether controls meet management’s risk-related requirements and whether the controls to privileged information are working as intended, according to a report dated Sept. 8.

Improving the controls would help enforce Least Privilege requirements, Klimes wrote. Least Privilege is a policy that requires a system’s users be given no more access to the personally identifiable information than is necessary to perform their official duties. GSA’s chief information officer requires Least Privilege requirements for all moderate-risk systems, of which CHRIS is one.

Klimes wrote that CHRIS allows managers and supervisors to create and change employees’ performance plans, appraisals and bonus awards. “Because the system does not restrict information that can be input into the award justification data field, supervisors are free to include project-specific or other information about individuals receiving awards,” she wrote, adding, “Award-related information could be used for unofficial purposes.”

For example, she recommended that officials restrict access unless people need to get information for writing reports. Those restrictions could improve management of risks, she wrote.

GSA officials said they designed the system so managers could recognize employees who are outside of their own offices for their work, but Klimes noted that a manager’s reasons for awarding an employee can have sensitive information about other divisions and an employee’s work. Seven managers told the auditors there were instances where they were unaware that other managers had access to the information. Most of the managers said they would prefer to limit access to their own organizations, according to the report.

Klimes also recommended independent reviews of CHRIS and coordination with GSA’s Public Building Service to define responsibilities for securing the data. She also recommended addressing CHRIS’ technical vulnerabilities.

Gail Lovelace, GSA’s chief human capital officer, said in a Sept. 4 letter that she agreed with the recommendations.

“We have worked diligently during 2008 to strengthen managerial, operational and technical controls…to appropriately limit access to sensitive personal information,” Lovelace wrote.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.