Commerce neglects its IT security workforce: inspector general

The department has not devoted enough attention and resources to training its IT security workers

The Commerce Department has failed to take the basic steps to develop its workforce that oversees the security of the department’s information technology systems, a newly posted report states.

The department’s management has not devoted enough attention and resources to training its IT security workers, according to an audit by the department’s inspector general. The audit, dated Sept. 30, said officials haven’t assigned who’s accountable for what IT security systems and many of Commerce's IT security officers don’t have the required security clearances. Without that clearance, the officers may be kept from getting the full extent of a cyber attack because they aren’t privy to the information, the report states.

“As a result, Commerce is at risk of not being satisfactorily prepared to protect its IT assets and information,” wrote Brett Baker, the assistant IG for audit.

The report recommends greater professional development and role-based training for IT security employees, especially those with significant responsibilities. Officials also should formally document officers' duties, and they should set specific security clearances with particular IT positions and responsibilities, the report recommends.

In response, the department said the audit report overstates the security clearance issue, because not all security officers, such as those working at the operational level, need the top-secret clearances.

Commerce has more than 300 IT systems, and 32 of them are high-impact systems. A system is considered high impact if a hacker could breach a system and unveil confidential government data or could impair the department’s operations and compromise its assets.

Baker wrote, “We are particularly concerned with the weaknesses found among the IT security workforce responsible for high-impact systems, because a security breach would have a severe impact on these systems.”

Cyber threats are a moving target, and they are increasing in number and sophistication almost daily, the report states. To meet those realities, the IT security program needs professionals with appropriate skills and experience to implement the required security controls and recognize emerging threats, according to the report.

Commerce officials said the National Institute of Science and Technology already has a leadership role on the Federal Chief Information Officer Council, as a member of the IT workforce committee. On that committee, its representatives can confront the governmentwide problem of developing a workforce with greater understanding of IT system security.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.