Appropriators consolidate cyber spending, IG dings HHS and more

HHS gets low marks on security card implementation

The Department of Health and Human Services' efforts at implementing secure ID cards were rated "inadequate" by the HHS Office of Inspector General.

A new IG report said HHS's implementation of the 2004 Homeland Security Presidential Directive 12 is uneven and has some vulnerabilities that could put the agency's security at risk.

The report said the agency's HSPD-12 efforts lacked controls to ensure that all credentialing requirements were met, and noted that identification cards weren't deactivated in a timely manner. It also said controls to access and manage the system were not tight enough.

According to the study, the HHS data center's network firewall configuration also didn't comply with its security policies.

The OIG also found that security management controls, including patch management, antivirus management, and configuration management, were not implemented on HSPD-12 workstations at any of the division PIV Card Issuance Facilities that were audited. The study said HHS also allowed nongovernmental computers to connect to card management systems.

The OIG recommended that HHS implement security requirements for card enrollment and issuance, deactivate of cards, system access, security management, physical security, and Web portals associated with the identity card program.

Senate appropriators seek to consolidate cyber spending

Tim Starks at CQ Roll Call reports that the Energy Department cybersecurity budget for energy, science and environmental missions spreads funding over 11 different accounts, and the Senate Appropriations Committee wants all of that nearly $150 million consolidated into one place.

The fiscal 2015 Energy and Water spending bill includes $304 million in cybersecurity funding for the Department of Energy, with $155 million for the National Nuclear Security Administration and $149 million for energy/science/environmental missions.

But the NNSA money is all coordinated by one official, and the report on the Senate bill says DOE "should follow NNSA's example of consolidating cybersecurity activities and funding authority to one person under one funding account."

California firm boosts state-level transparency

Federal agencies have the IT Dashboard, but GCN reports that a growing number of state and local government are turning to a California startup for their financial transparency efforts.

OpenSource.com, a Mountain View-based firm, "works as a subscription service. Agencies email their raw general ledger data. ... The company maps the data, accounting for each municipality's unique chart of accounts –and provides a link to a website for review, often within a week."

British hacker indicted on charges of breaching agency networks

Ten days after the Government Accountability Office revealed hackers had infiltrated satellite data by hijacking a contractor's personal computer, federal prosecutors unsealed a set of indictments against a British man for breaching several U.S. government agency networks in another case.

The FBI said on July 25 that 29-year-old Lauri Love of Stradishall, England, had been indicted by a U.S. federal grand jury on charges of conspiracy, causing damage to a protected computer, access device fraud and aggravated identity theft. British law enforcement dropped their charges against Love on July 25 so the U.S. could pursue its charges.

According to the federal indictment, in October 2012 Love and coconspirators broke into protected computers belonging to the Department of Energy, Department of Health and Human Services, the U.S. Sentencing Commission, the FBI's Regional Computer Forensics Laboratory, and computers at Deltek, Inc. and Forte Interactive Inc. by exploiting a known vulnerability in Adobe ColdFusion, a software program designed to build and administer websites and databases. The vulnerability, which has since been corrected, according to the FBI, allowed Love and the accomplices to access protected areas of the victims' computer servers without proper login credentials.

The indictment accused Love and his cohorts of obtaining administrator-level access to the networks using custom file managers, allowing them to upload and download files, edit, remove and search for data. It said Love and his group got more than 100,000 employee records with names, Social Security numbers, addresses, phone numbers, salary information and other financial records, including credit card numbers.