The Secret Service, no stranger to security lapses, is being dinged by an internal auditor for not requiring two-step verification to access agency networks and for ignoring governmentwide rules for continuously monitoring network security.
For the past year, the Department of Homeland Security subdivision has refused to digitally report data about its cyber defenses, according to a new inspector general report.
DHS, which Congress last week designated the point-agency on cybersecurity, is in charge of the federal continuous monitoring initiative. The department's inability to get its own agency to fall in line could raise questions about the enlargement of Homeland Security's cyber authorities.
"USSS’ refusal to provide the required data created a significant deficiency in the department’s information security program, as the [DHS chief information security officer] was severely restricted from performing continuous monitoring on the department’s information systems," DHS IG John Roth said in the report.
The Secret Service CIO had expressed concerns about the "operational security" of the data feeds, Roth said.
In a pointed Oct. 29 memo to Secret Service Acting Director Joseph Clancy, the inspector questioned why the Secret Service saw itself as an exception to the rule.
"Your agency's action puts at risk its own information systems and those of the department as a whole," Roth said. "I am not convinced that the Secret Service CIO's objection is well founded. Your CIO has given us no reason to believe that the established procedures for handling continuous feeds, established by the department's chief information security officer, presents a credible security concern. All department components handle sensitive information, and each of them, except for the Secret Service, complies with this requirement."
Regulations under the 2002 Federal Information Security Management Act order all agencies, each month, to electronically feed to DHS vulnerability scans for networks and systems; data from endpoint management software; and data from other security tools.
After the inspector intervened, DHS and the Secret Service came to an agreement on a technique for supplying Homeland Security with the monitoring results.
The Secret Service did “have a concern with DHS's method for providing the results which we believe we have now resolved," Clancy told the inspector in a Nov. 7 letter. The arrangement states the agency will transmit feeds to the department beginning in fiscal 2015.
On Tuesday, agency spokesman Brian Leary said in an email: “The Secret Service has previously complied with FISMA and CDM reporting requirements and continues to support data monitoring of its systems. On Nov. 7, 2014, in response to DHS concerns, the Secret Service and the DHS CIO agreed on a reporting process for the required CDM data.”
In a related misstep, the Secret Service neglected to set up two-factor authentication for logging into agency networks, according to the report. All federal systems are supposed to block users from signing in until they enter a password and a so-called personal identity verification smartcard.
The agency has "not begun the implementation of using PIV cards for logical access," Roth said. In essence, this means all a hacker needs to log on to a Secret Service system is a password.
Agency officials declined to comment on when they plan to establish two-step identification.
In the physical world, the Secret Service during the past year failed to block trespassers from accessing White House grounds, ultimately resulting in the departure of former agency director Julia Pierson.
President Barack Obama on Thursday signed into law various bills positioning DHS as the lead civilian agency for national cybersecurity. One measure empowers Homeland Security to supervise governmentwide cybersecurity operations. Separate legislation aims to fast-track the hiring of DHS cybersecurity professionals. And another measure permanently places at DHS the existing 24-hour National Cybersecurity and Communications Integration Center, an information-sharing hub.