A Commerce Department watchdog is putting agency officials on notice: His team will be poking around the agency’s policies for protecting computer systems from cyberattacks.
A Feb. 29 memo from Allen Crawley, the assistant inspector general for systems acquisition and IT security, says the IG’s office is kicking off an audit of the department’s IT security policies and practices for systems that store personally identifiable information as well as information of those involved in national security or intelligence activities.
The IG’s office sent the memo to Commerce Chief Information Officer Steve Cooper and Catrina Purvis, the agency’s top privacy official and director of the Office of Privacy and Open Government. Also copied on the memo were Rod Turk, the agency’s chief information security officer, and a slew of IT officials from Commerce’s bureaus.
The IG plans to conduct fieldwork both inside the agency and at contractor sites, according to the memo.
The security review is required by the Cybersecurity Act of 2015, which was included in the massive $1.1 trillion omnibus funding measure and approved by Congress late last year.
Along putting the Department of Homeland Security in charge of automated cyberthreat information sharing and a host of other measures, the bill also required agency IGs to probe how agencies handle security of sensitive computer systems.
Specifically, IGs are directed to examine whether agencies use multifactor authentication to control access to sensitive systems, how they conduct software inventories and what capabilities they use to monitor and detect attempted exfiltration of data and other threats.
Agency watchdogs have until August to complete their security reviews and submit them to Congress.
The security of agency networks has been under scrutiny since the Office of Personnel Management revealed last summer a massive data breach involving sensitive background investigation files of some 21.5 million federal employees, retirees and contractors.
In the wake of the breach, the White House ordered agencies to immediately tighten security as part of a 30-day “cybersecurity sprint.” During the exercise, the percentage of federal employees required to use a smart card in addition to a password to log on increased from about 43 percent to more than 72 percent during, according to OMB. That percentage has continued to inch upward, officials say.