The Federal Retirement Thrift Investment Board refuses to let auditors probe until satisfied that FISMA directives will not fracture the Chinese wall between OMB and the board.
The board of a hacked federal employee retirement plan is struggling to comply with government cybersecurity rules, because of concerns the requirements infringe on the organization's independence, the Federal Retirement Thrift Investment Board says.
The admission comes as the agency faces a grilling from senators over a Labor Department review that pointed out longstanding security weaknesses.
Data on Thrift Savings Plan members has been raided before. In 2011, attackers compromised the Social Security numbers and other personal data of 123,000 Thrift Savings Plan investors maintained on a contractor's network. More than 4.7 million federal civilian and military personnel participate in the plan.
Now, it has surfaced that the agency did not follow through on penetration testing, or “ethical hacking.” This key network defense involves letting a security professional poke around for holes in a system before the real bad guys do.
According to the Office of Management and Budget, penetration testing is mandatory to comply with the Federal Information Security Management Act.
But the board, which manages $450 billion in total assets, refuses to let auditors probe until it's satisfied that FISMA directives will not fracture the Chinese wall between OMB and the board.
"The primary issue for us surrounding FISMA does not relate to specific controls or technical guidance -- instead, because of our status as fiduciaries, any potential issues arise in the area where OMB may have the authority to direct agency spending," board spokeswoman Kim Weaver said.
"Congress determined in enacting" the Federal Employee's Retirement System Act "that it would be inappropriate for the president or Congress to tell [the board] how to spend participant money, particularly when the board and the executive director has a fiduciary responsibility to the plan," she said.
Overseers Cannot Probe Board Networks
At a board meeting last month, the Labor Department’s Employee Benefits Security Administration auditors complained about being restricted from inspecting hardware and software.
Weaver on Friday acknowledged, "To date, no penetration test has been conducted." The board’s contractors have not tested for vulnerabilities, either.
A Thrift Savings Plan contract awarded to SAIC in 2013 included penetration testing clauses. But the agency instructed contractors to first address "other important information security matters including expanding and strengthening a first-generation security operations center and a network operations center,” Weaver said.
SAIC itself is no stranger to data thieves. The same year savings plan records were breached, separately, information on 4.9 million TRICARE military health care beneficiaries was compromised -- after the theft of computer tapes from an SAIC contractor's car.
Meanwhile, various hackers over the past year have successfully taken aim at government-held data from the Postal Service, State Department and federal employee background checker KeyPoint.
Last week, the Homeland Security and Governmental Affairs Committee aired concerns about the findings by Labor officials.
The board should "allow the auditors to conduct the necessary penetration testing so that you may know where any potential vulnerabilities might exist before those who wish to steal our information do," committee chairman Sen. Ron Johnson, R-Wisc, and ranking Democrat Sen. Tom Carper, D-Del., said in a letter to the board.
"Going forward, I expect that you will make every effort to meet your obligations under FISMA," they added. In 2014, the agency did not submit compliance data to OMB, the senators said.
On Friday, Weaver clarified that the board has not blocked Labor from performing system testing.
The board "has never taken the position that DOL auditors were not permitted to conduct network penetration testing," she said. At the time of last month's meeting, the board was cooperating to ensure there are "proper legal and other safeguards in place prior to allowing anyone such sensitive access to its systems, as that is the obligation the [board] has to our participants."
(Image via lolloj/ Shutterstock.com)