Commerce neglects its IT security workforce: inspector general

The department has not devoted enough attention and resources to training its IT security workers

The Commerce Department has failed to take the basic steps to develop its workforce that oversees the security of the department’s information technology systems, a newly posted report states.

The department’s management has not devoted enough attention and resources to training its IT security workers, according to an audit by the department’s inspector general. The audit, dated Sept. 30, said officials haven’t assigned who’s accountable for what IT security systems and many of Commerce's IT security officers don’t have the required security clearances. Without that clearance, the officers may be kept from getting the full extent of a cyber attack because they aren’t privy to the information, the report states.

“As a result, Commerce is at risk of not being satisfactorily prepared to protect its IT assets and information,” wrote Brett Baker, the assistant IG for audit.

The report recommends greater professional development and role-based training for IT security employees, especially those with significant responsibilities. Officials also should formally document officers' duties, and they should set specific security clearances with particular IT positions and responsibilities, the report recommends.

In response, the department said the audit report overstates the security clearance issue, because not all security officers, such as those working at the operational level, need the top-secret clearances.

Commerce has more than 300 IT systems, and 32 of them are high-impact systems. A system is considered high impact if a hacker could breach a system and unveil confidential government data or could impair the department’s operations and compromise its assets.

Baker wrote, “We are particularly concerned with the weaknesses found among the IT security workforce responsible for high-impact systems, because a security breach would have a severe impact on these systems.”

Cyber threats are a moving target, and they are increasing in number and sophistication almost daily, the report states. To meet those realities, the IT security program needs professionals with appropriate skills and experience to implement the required security controls and recognize emerging threats, according to the report.

Commerce officials said the National Institute of Science and Technology already has a leadership role on the Federal Chief Information Officer Council, as a member of the IT workforce committee. On that committee, its representatives can confront the governmentwide problem of developing a workforce with greater understanding of IT system security.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.