Cybersecurity

Senators question Thrift Savings Plan's security

Are federal retirement accounts safe from hackers?

Probably not, and the board in charge is failing to address security concerns or even let auditors test the extent of the vulnerabilities, a bipartisan pair of senators said.

In a letter to Federal Retirement Thrift Investment Board Chairman Michael Kennedy, Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) expressed concerns about the security of the Thrift Savings Plan, the retirement vehicle for millions of federal employees and military service members.

In 2011, a data breach exposed the Social Security numbers of 123,000 TSP account holders to malicious actors, and the senators allege that not much has changed since then.

"According to federal auditors, the board has failed to fix security flaws identified for years," wrote Johnson and Carper, chairman and ranking member, respectively, of the Homeland Security and Governmental Affairs Committee.

The letter also notes that the board is apparently not allowing auditors to conduct penetration tests that would help reveal the extent of security risks.

"Independent assessment is an essential part of any organization's cyber risk management program," the senators wrote. "We urge you to allow the auditors to conduct the necessary penetration testing so that you may know where any potential vulnerabilities might exist before those who wish to steal our information do."

The senators asked Kennedy to address five questions:

  1. Has the agency undergone any assessments, audits or independent reviews of its cybersecurity posture, including assessments required under the Federal Information Security Management Act?
  2. What are the plans to work with auditors at the Labor Department to ensure that the board is building an effective and robust security program?
  3. Why didn't the board comply with the reporting requirements under FISMA?
  4. How does the board plan to work with the Office of Management and Budget to come into compliance with FISMA?
  5. How does the board work with the Department of Homeland Security to take advantage of its resources, including the Continuous Diagnostics and Mitigation program, the protections of the Einstein program, and services at the U.S. Computer Emergency Readiness Team? What other programs and services has the board used to assess and improve its information security, such as those offered by other federal agencies or private-sector firms, if any?

The board was not able to immediately confirm whether the May 7 letter had been received or answered.

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.