News in Brief

Appropriators consolidate cyber spending, IG dings HHS and more

abstract image of money

HHS gets low marks on security card implementation

The Department of Health and Human Services' efforts at implementing secure ID cards were rated "inadequate" by the HHS Office of Inspector General.

A new IG report said HHS's implementation of the 2004 Homeland Security Presidential Directive 12 is uneven and has some vulnerabilities that could put the agency's security at risk.

The report said the agency's HSPD-12 efforts lacked controls to ensure that all credentialing requirements were met, and noted that identification cards weren't deactivated in a timely manner. It also said controls to access and manage the system were not tight enough.

According to the study, the HHS data center's network firewall configuration also didn't comply with its security policies.

The OIG also found that security management controls, including patch management, antivirus management, and configuration management, were not implemented on HSPD-12 workstations at any of the division PIV Card Issuance Facilities that were audited. The study said HHS also allowed nongovernmental computers to connect to card management systems.

The OIG recommended that HHS implement security requirements for card enrollment and issuance, deactivate of cards, system access, security management, physical security, and Web portals associated with the identity card program.

Senate appropriators seek to consolidate cyber spending

Tim Starks at CQ Roll Call reports that the Energy Department cybersecurity budget for energy, science and environmental missions spreads funding over 11 different accounts, and the Senate Appropriations Committee wants all of that nearly $150 million consolidated into one place.

The fiscal 2015 Energy and Water spending bill includes $304 million in cybersecurity funding for the Department of Energy, with $155 million for the National Nuclear Security Administration and $149 million for energy/science/environmental missions.

But the NNSA money is all coordinated by one official, and the report on the Senate bill says DOE "should follow NNSA's example of consolidating cybersecurity activities and funding authority to one person under one funding account."

California firm boosts state-level transparency

Federal agencies have the IT Dashboard, but GCN reports that a growing number of state and local government are turning to a California startup for their financial transparency efforts.

OpenSource.com, a Mountain View-based firm, "works as a subscription service. Agencies email their raw general ledger data. ... The company maps the data, accounting for each municipality's unique chart of accounts –and provides a link to a website for review, often within a week."

British hacker indicted on charges of breaching agency networks

Ten days after the Government Accountability Office revealed hackers had infiltrated satellite data by hijacking a contractor's personal computer, federal prosecutors unsealed a set of indictments against a British man for breaching several U.S. government agency networks in another case.

The FBI said on July 25 that 29-year-old Lauri Love of Stradishall, England, had been indicted by a U.S. federal grand jury on charges of conspiracy, causing damage to a protected computer, access device fraud and aggravated identity theft. British law enforcement dropped their charges against Love on July 25 so the U.S. could pursue its charges.

According to the federal indictment, in October 2012 Love and coconspirators broke into protected computers belonging to the Department of Energy, Department of Health and Human Services, the U.S. Sentencing Commission, the FBI's Regional Computer Forensics Laboratory, and computers at Deltek, Inc. and Forte Interactive Inc. by exploiting a known vulnerability in Adobe ColdFusion, a software program designed to build and administer websites and databases. The vulnerability, which has since been corrected, according to the FBI, allowed Love and the accomplices to access protected areas of the victims' computer servers without proper login credentials.

The indictment accused Love and his cohorts of obtaining administrator-level access to the networks using custom file managers, allowing them to upload and download files, edit, remove and search for data. It said Love and his group got more than 100,000 employee records with names, Social Security numbers, addresses, phone numbers, salary information and other financial records, including credit card numbers.

About the Author

Connect with the FCW staff on Twitter @FCWnow.

Featured

  • Social Media
    Editorial credit: pcruciatti / Shutterstock.com

    They took all the tweets and put 'em in a tweet museum

    Twitter cancelled @realdonaldtrump, but the National Archives will bring presidential tweets back via the Trump library website.

  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

Stay Connected