Senators question Thrift Savings Plan's security
The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee want to know more about TSP's cybersecurity.
Are federal retirement accounts safe from hackers?
Probably not, and the board in charge is failing to address security concerns or even let auditors test the extent of the vulnerabilities, a bipartisan pair of senators said.
In a letter to Federal Retirement Thrift Investment Board Chairman Michael Kennedy, Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) expressed concerns about the security of the Thrift Savings Plan, the retirement vehicle for millions of federal employees and military service members.
In 2011, a data breach exposed the Social Security numbers of 123,000 TSP account holders to malicious actors, and the senators allege that not much has changed since then.
"According to federal auditors, the board has failed to fix security flaws identified for years," wrote Johnson and Carper, chairman and ranking member, respectively, of the Homeland Security and Governmental Affairs Committee.
The letter also notes that the board is apparently not allowing auditors to conduct penetration tests that would help reveal the extent of security risks.
"Independent assessment is an essential part of any organization's cyber risk management program," the senators wrote. "We urge you to allow the auditors to conduct the necessary penetration testing so that you may know where any potential vulnerabilities might exist before those who wish to steal our information do."
The senators asked Kennedy to address five questions:
- Has the agency undergone any assessments, audits or independent reviews of its cybersecurity posture, including assessments required under the Federal Information Security Management Act?
- What are the plans to work with auditors at the Labor Department to ensure that the board is building an effective and robust security program?
- Why didn't the board comply with the reporting requirements under FISMA?
- How does the board plan to work with the Office of Management and Budget to come into compliance with FISMA?
- How does the board work with the Department of Homeland Security to take advantage of its resources, including the Continuous Diagnostics and Mitigation program, the protections of the Einstein program, and services at the U.S. Computer Emergency Readiness Team? What other programs and services has the board used to assess and improve its information security, such as those offered by other federal agencies or private-sector firms, if any?
The board was not able to immediately confirm whether the May 7 letter had been received or answered.