While the Department of Labor (DOL) has consistently complied with Federal Information Security Management Act (FISMA) standards, the Office of the Inspector General (OIG) reported on Dec. 23 that the agency’s information security program is, overall, ineffective.
“Over the past year, DOL has made strides in implementing tools from the [Continuous Diagnostics and Mitigation] program that, once operational, will provide insights, metrics, and reports/dashboards to senior management and assist them with risk-based decisions,” the report states. “However, for these tools to provide the necessary information to senior management, DOL also needs to develop and implement performance metrics to measure the performance of the cybersecurity functions.”
The lack of performance metrics for control systems – including identity and access management and risk management – leave DOL at risk for unauthorized access and data mismanagement.
Another one of OIG’s main concerns with DOL was the handling of personally identifiable information (PII) and slowness to response to cyber incidents. OIG wrote that DOL did not prioritize reporting cyber and PII incidents to the U.S. Computer Emergency Readiness Team (US-CERT) due to a lack of management oversight.
The information security issues were widespread throughout the agency and OIG made a total of 20 recommendations. Key recommendations to DOL include:
- Implement technology to detect and prevent unauthorized hardware and software connections;
- Adhere to SECURE Technology Act requirement for cyber supply chain risk management;
- Improve monitoring controls to track and remediate vulnerabilities;
- Conduct PII training to enforce incident reporting guidelines;
- Enforce the incident response monitoring process and procedures to verify accurate reporting; and
- Enhance backup monitoring controls to prevent backup failures and improve responsiveness.
In response, DOL CIO Gundeep Ahluwalia suggested revisions to five of the OIG recommendations. The CIO said that DOL did not receive that correct template to self-assess information security procedures and 95 percent of cyber incidents that occurred at DOL were reported to US-CERT within one hour.