Auditor Finds Infosec Weaknesses in Most FBI Domains

There are weaknesses in six out of the FBI’s seven information security domains, according to an independent auditor that recommended 38 separate fixes.

The findings were only released in a brief summary because of concerns hackers might capitalize on them.

The summary is the most recent in the annual cascade of agency compliance reports with the Federal Information Security Management Act, the main law governing government cyber protections.

Because the audit, performed by the consultant KPMG, does not provide many details, it’s impossible to assess the severity of the agency’s weaknesses or the urgency of the report’s recommendations.

The FBI is responsible for investigating major cyber crimes. The bureau also stores sensitive information about investigations, personnel files and background investigations for top government officials.

The Homeland Security Department, which is the lead agency for civilian government cybersecurity, fell just short of acceptable marks on its information security review. The department received a score of 3 out 5 on three of its rated areas—protection, detection and recovery. The department scored 4 out of 5 in the two remaining areas.

Agencies must receive a 4 in a majority of areas to be considered “effective overall,” according to the report.

A review of Interior Department protections found the department had not established an incident response plan or a plan to deal with information security contingencies.

Two Interior divisions had not fully adopted risk management frameworks or implemented continuous monitoring programs for information security, according to the report. Those divisions were the Bureau of Safety and Environmental Enforcement and the Bureau of Ocean Energy Management.