News in Brief

Appropriators consolidate cyber spending, IG dings HHS and more

abstract image of money

HHS gets low marks on security card implementation

The Department of Health and Human Services' efforts at implementing secure ID cards were rated "inadequate" by the HHS Office of Inspector General.

A new IG report said HHS's implementation of the 2004 Homeland Security Presidential Directive 12 is uneven and has some vulnerabilities that could put the agency's security at risk.

The report said the agency's HSPD-12 efforts lacked controls to ensure that all credentialing requirements were met, and noted that identification cards weren't deactivated in a timely manner. It also said controls to access and manage the system were not tight enough.

According to the study, the HHS data center's network firewall configuration also didn't comply with its security policies.

The OIG also found that security management controls, including patch management, antivirus management, and configuration management, were not implemented on HSPD-12 workstations at any of the division PIV Card Issuance Facilities that were audited. The study said HHS also allowed nongovernmental computers to connect to card management systems.

The OIG recommended that HHS implement security requirements for card enrollment and issuance, deactivate of cards, system access, security management, physical security, and Web portals associated with the identity card program.

Senate appropriators seek to consolidate cyber spending

Tim Starks at CQ Roll Call reports that the Energy Department cybersecurity budget for energy, science and environmental missions spreads funding over 11 different accounts, and the Senate Appropriations Committee wants all of that nearly $150 million consolidated into one place.

The fiscal 2015 Energy and Water spending bill includes $304 million in cybersecurity funding for the Department of Energy, with $155 million for the National Nuclear Security Administration and $149 million for energy/science/environmental missions.

But the NNSA money is all coordinated by one official, and the report on the Senate bill says DOE "should follow NNSA's example of consolidating cybersecurity activities and funding authority to one person under one funding account."

California firm boosts state-level transparency

Federal agencies have the IT Dashboard, but GCN reports that a growing number of state and local government are turning to a California startup for their financial transparency efforts.

OpenSource.com, a Mountain View-based firm, "works as a subscription service. Agencies email their raw general ledger data. ... The company maps the data, accounting for each municipality's unique chart of accounts –and provides a link to a website for review, often within a week."

British hacker indicted on charges of breaching agency networks

Ten days after the Government Accountability Office revealed hackers had infiltrated satellite data by hijacking a contractor's personal computer, federal prosecutors unsealed a set of indictments against a British man for breaching several U.S. government agency networks in another case.

The FBI said on July 25 that 29-year-old Lauri Love of Stradishall, England, had been indicted by a U.S. federal grand jury on charges of conspiracy, causing damage to a protected computer, access device fraud and aggravated identity theft. British law enforcement dropped their charges against Love on July 25 so the U.S. could pursue its charges.

According to the federal indictment, in October 2012 Love and coconspirators broke into protected computers belonging to the Department of Energy, Department of Health and Human Services, the U.S. Sentencing Commission, the FBI's Regional Computer Forensics Laboratory, and computers at Deltek, Inc. and Forte Interactive Inc. by exploiting a known vulnerability in Adobe ColdFusion, a software program designed to build and administer websites and databases. The vulnerability, which has since been corrected, according to the FBI, allowed Love and the accomplices to access protected areas of the victims' computer servers without proper login credentials.

The indictment accused Love and his cohorts of obtaining administrator-level access to the networks using custom file managers, allowing them to upload and download files, edit, remove and search for data. It said Love and his group got more than 100,000 employee records with names, Social Security numbers, addresses, phone numbers, salary information and other financial records, including credit card numbers.

About the Author

Connect with the FCW staff on Twitter @FCWnow.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group