IG warns Labor on information security

Shutterstock image (by Maksim Kabakou): cyber defense conept, magnifying glass.

The Department of Labor has demonstrated "significant deficiencies" in key information security areas over the last five years, according to the DOL inspector general, who outlined a history of problems in the areas of access control, third-party oversight and configuration management.

According to the report, 11 former employees accessed agency networks with old credentials, and over a period of years the department had a history of failing to switch off access privileges for former employees.

Labor began to implement the use of personal identity verification cards only "in response to the Office of Personnel Management breach," per the report. However, the department failed to meet White House targets for identity, credential and access management in the recent cybersecurity sprint: 68 percent of privileged users and 65 percent of unprivileged users access agency networks via multifactor authentication. The administration set the bar for success at 75 percent.

The report also cites deficiencies in oversight of DOL systems operated by third parties. Problems included "physical and logical access controls not in place, improper use of shared accounts, system security assessments not performed, business impact assessments not performed, untested contingency plan, interconnections not fully documented, and agreements not in place," the report said.

OIG also warned Labor about the lack of a secure process for patching and upgrading software, and fixing vulnerabilities based on known security flaws.

The report notes that despite reports of progress, OIG "audits continue to identify similar deficiencies in information security." The report recommends that DOL adopt the same focus used to implement multi-factor authentication under the cyber sprint in remediating other access-control problems.

DOL submitted reply comments within the 10-day time frame urged by IG’s office, but an OIG representative told FCW that the responses were still being digested and no decision had been made on whether they would be released. Emails to the public affairs staff and CIO office at the Labor Department were not returned.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.