Cybersecurity

Labor CIO pushes back against critical IG report

Shutterstock image (by deepadesigns): Safety concept, closed padlock on a digital background.

The top tech official at the Labor Department said officials have made progress in remediating information security weaknesses, and she raised concerns about the "completeness and accuracy" of a critical report released by the Office of Inspector General at the end of July.

The report, which was a roundup of previous probes by Labor's OIG, asserted that the department only recently turned its attention to implementing two-factor authentication agencywide in response to data breaches at the Office of Personnel Management. It also detailed lingering problems with privileged access to government systems by former employees and contractors.

Labor CIO Dawn Leaf wrote in her reply to the OIG's report that officials had directed components "to address system-specific access control-related issues well before the OPM breach occurred." Her reply, dated Aug. 14, was posted publicly with some redactions on Aug. 21.

Labor had to shift "a tremendous amount of resources" to speed up compliance with the governmentwide cybersecurity sprint targets in the wake of the OPM hack, Leaf wrote. The effort so far has required the equivalent of thousands of hours of staff time to put new equipment and credentials into place, she added.

Leaf also noted that Congress cut Labor's IT modernization funding by $4.1 million from fiscal 2014 to fiscal 2015.

"This lack of funding has directly impacted the ability of DOL to improve its IT security posture, including but not limited to the identity [and] access management project," she wrote.

Labor finished the sprint without hitting the targets set by U.S. CIO Tony Scott. However, as of Aug. 14, the department had implemented two-factor authentication for 80 percent of privileged users and 78 percent of general users -- just above the governmentwide goal of 75 percent in each category. According to Leaf, Labor officials have a plan to achieve full compliance with two-factor authentication by Sept. 30.

Additionally, Leaf said some of the OIG's information lacked context with regard to former employees' access to Labor systems. "In some cases," she wrote, "several isolated access control-related issues have been extrapolated from the various reports and combined with dissimilar issues to suggest a problem larger in scope than [what] is demonstrated by the analysis."

Her comments suggest that when it comes to cybersecurity, the department's leaders and watchdogs have not been on the same page for a long time. The OIG has prepared multiple reports in the past several years that warn of vulnerabilities and weaknesses in information security, but they have not been publicly released because of concerns about sensitive information.

"Previously, management has made the point that the audit reports do not provide the requisite linkage between the findings and risks or events that could be expected to rise to the level of seriousness contemplated by the term 'significant deficiency' as defined by" the Office of Management and Budget, Leaf wrote.

As Labor officials address some of the problems identified by the OIG, the department's "policies, procedures, and its physical and logically separated systems with supporting boundary controls collectively provide appropriate mitigating safeguards and redundant security measures," she added.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.