Labor CIO pushes back against critical IG report

The top tech official at the Labor Department said officials have made progress in remediating information security weaknesses, and she raised concerns about the "completeness and accuracy" of a critical report released by the Office of Inspector General at the end of July.

The report, which was a roundup of previous probes by Labor's OIG, asserted that the department only recently turned its attention to implementing two-factor authentication agencywide in response to data breaches at the Office of Personnel Management. It also detailed lingering problems with privileged access to government systems by former employees and contractors.

Labor CIO Dawn Leaf wrote in her reply to the OIG's report that officials had directed components "to address system-specific access control-related issues well before the OPM breach occurred." Her reply, dated Aug. 14, was posted publicly with some redactions on Aug. 21.

Labor had to shift "a tremendous amount of resources" to speed up compliance with the governmentwide cybersecurity sprint targets in the wake of the OPM hack, Leaf wrote. The effort so far has required the equivalent of thousands of hours of staff time to put new equipment and credentials into place, she added.

Leaf also noted that Congress cut Labor's IT modernization funding by $4.1 million from fiscal 2014 to fiscal 2015.

"This lack of funding has directly impacted the ability of DOL to improve its IT security posture, including but not limited to the identity [and] access management project," she wrote.

Labor finished the sprint without hitting the targets set by U.S. CIO Tony Scott. However, as of Aug. 14, the department had implemented two-factor authentication for 80 percent of privileged users and 78 percent of general users -- just above the governmentwide goal of 75 percent in each category. According to Leaf, Labor officials have a plan to achieve full compliance with two-factor authentication by Sept. 30.

Additionally, Leaf said some of the OIG's information lacked context with regard to former employees' access to Labor systems. "In some cases," she wrote, "several isolated access control-related issues have been extrapolated from the various reports and combined with dissimilar issues to suggest a problem larger in scope than [what] is demonstrated by the analysis."

Her comments suggest that when it comes to cybersecurity, the department's leaders and watchdogs have not been on the same page for a long time. The OIG has prepared multiple reports in the past several years that warn of vulnerabilities and weaknesses in information security, but they have not been publicly released because of concerns about sensitive information.

"Previously, management has made the point that the audit reports do not provide the requisite linkage between the findings and risks or events that could be expected to rise to the level of seriousness contemplated by the term 'significant deficiency' as defined by" the Office of Management and Budget, Leaf wrote.

As Labor officials address some of the problems identified by the OIG, the department's "policies, procedures, and its physical and logically separated systems with supporting boundary controls collectively provide appropriate mitigating safeguards and redundant security measures," she added.