Audit of DOL IT security finds deficiencies

Complex and extensive, the FISMA cybersecurity requirements government agencies must implement total over 60 pages of metrics.

(Photo: Przemek Klos/Adobe Stock)

More than eight months after the Labor Department issued a list of best cybersecurity practices for ERISA practitioners, the department’s Inspector General has released a report that found Labor’s own IT security seriously lacking.

The report was based on an audit conducted by KPMG, which noted more than a dozen problems with the Labor Department’s information security systems.

For instance, IG Carolyn Hantz said the department had not conducted annual security control assessments for 30 systems during FY21.

“Failure to complete an annual security control assessment could result in threats and vulnerabilities going overlooked, which can result in an increased risk to the confidentiality, integrity, and availability of DOL information systems and data,” the IG said.

Hantz also said the Labor Department has not instituted an effective supply chain risk management program and has failed to keep an accurate record of computer hardware. The department also did not log or review DOL user accounts.

The department said it agreed with the IG’s assessment and that the issues noted will be addressed.

In April, EBSA issued guidance intended to address cybersecurity among practitioners.

“The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information,” Acting Assistant Secretary for Employee Benefits Security Ali Khawar said at the time. “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

In several ways, the guidance mirrors some of the practices that Hantz said the Labor Department does not follow.

For instance, EBSA said that covered plans need to conduct “prudent annual risk assessments.”

“A sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information,” the guidance states.

However, the IG said her office found instances in which the department’s management “would informally accept risk, rather than identify, assess, and respond to risk.”

The guidance also states that, “As a senior executive, the Chief Information Security Officer (CISO) would generally establish and maintain the vision, strategy, and operation of the cybersecurity program.”

Looking at the entire Labor Department, Hantz said, “In reviewing the results from KPMG’s testing, we are concerned the CIO’s oversight over the Department’s information technology is not ensuring progress on implementing Information Security Continuous Monitoring controls.”

READ MORE: