IG warns Labor on information security

Shutterstock image (by Maksim Kabakou): cyber defense conept, magnifying glass.

The Department of Labor has demonstrated "significant deficiencies" in key information security areas over the last five years, according to the DOL inspector general, who outlined a history of problems in the areas of access control, third-party oversight and configuration management.

According to the report, 11 former employees accessed agency networks with old credentials, and over a period of years the department had a history of failing to switch off access privileges for former employees.

Labor began to implement the use of personal identity verification cards only "in response to the Office of Personnel Management breach," per the report. However, the department failed to meet White House targets for identity, credential and access management in the recent cybersecurity sprint: 68 percent of privileged users and 65 percent of unprivileged users access agency networks via multifactor authentication. The administration set the bar for success at 75 percent.

The report also cites deficiencies in oversight of DOL systems operated by third parties. Problems included "physical and logical access controls not in place, improper use of shared accounts, system security assessments not performed, business impact assessments not performed, untested contingency plan, interconnections not fully documented, and agreements not in place," the report said.

OIG also warned Labor about the lack of a secure process for patching and upgrading software, and fixing vulnerabilities based on known security flaws.

The report notes that despite reports of progress, OIG "audits continue to identify similar deficiencies in information security." The report recommends that DOL adopt the same focus used to implement multi-factor authentication under the cyber sprint in remediating other access-control problems.

DOL submitted reply comments within the 10-day time frame urged by IG’s office, but an OIG representative told FCW that the responses were still being digested and no decision had been made on whether they would be released. Emails to the public affairs staff and CIO office at the Labor Department were not returned.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


    pentagon cloud

    Court orders temporary block on JEDI

    JEDI, the Defense Department’s multi-billion-dollar cloud procurement, is officially on hold, according to a federal court announcement Feb. 13.

  • Defense
    mock-up of the shore-based Aegis Combat Information Center

    Pentagon focuses on research, cyber in 2021 budget request

    The Defense Department wants to significantly increase funds for research, cyber, and cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.