Cybersecurity

Senators question Thrift Savings Plan's security

Are federal retirement accounts safe from hackers?

Probably not, and the board in charge is failing to address security concerns or even let auditors test the extent of the vulnerabilities, a bipartisan pair of senators said.

In a letter to Federal Retirement Thrift Investment Board Chairman Michael Kennedy, Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) expressed concerns about the security of the Thrift Savings Plan, the retirement vehicle for millions of federal employees and military service members.

In 2011, a data breach exposed the Social Security numbers of 123,000 TSP account holders to malicious actors, and the senators allege that not much has changed since then.

"According to federal auditors, the board has failed to fix security flaws identified for years," wrote Johnson and Carper, chairman and ranking member, respectively, of the Homeland Security and Governmental Affairs Committee.

The letter also notes that the board is apparently not allowing auditors to conduct penetration tests that would help reveal the extent of security risks.

"Independent assessment is an essential part of any organization's cyber risk management program," the senators wrote. "We urge you to allow the auditors to conduct the necessary penetration testing so that you may know where any potential vulnerabilities might exist before those who wish to steal our information do."

The senators asked Kennedy to address five questions:

  1. Has the agency undergone any assessments, audits or independent reviews of its cybersecurity posture, including assessments required under the Federal Information Security Management Act?
  2. What are the plans to work with auditors at the Labor Department to ensure that the board is building an effective and robust security program?
  3. Why didn't the board comply with the reporting requirements under FISMA?
  4. How does the board plan to work with the Office of Management and Budget to come into compliance with FISMA?
  5. How does the board work with the Department of Homeland Security to take advantage of its resources, including the Continuous Diagnostics and Mitigation program, the protections of the Einstein program, and services at the U.S. Computer Emergency Readiness Team? What other programs and services has the board used to assess and improve its information security, such as those offered by other federal agencies or private-sector firms, if any?

The board was not able to immediately confirm whether the May 7 letter had been received or answered.

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.