Audit: Labor Department Information Security Program ‘Not Effective’

Third-party auditors found deficiencies in the Labor Department’s information security and continuous monitoring controls.

KPMG, which performed an audit released Tuesday by the Labor Department Office of Inspector General, alerted the department’s chief information officer of 45 control deficiencies and a host of other findings.

Among them, KPMG identified issues with the Labor Department’s cybersecurity function maturity levels. The audit, performed in accordance with the Federal Information Security Modernization Act of 2014—also known as FISMA—assessed security controls over five cybersecurity function areas.

Using CyberScope, a web-based tool operated by the Department of Homeland Security, auditors determined Labor’s “information security was not effective” because a majority of the agency’s reporting metrics did not reach the appropriate maturity threshold.

“During FY 2021, we tested security controls at the entity level and for a selection of 20 systems. In addition, we conducted a targeted vulnerability assessment on selected devices for 12 of 20 selected DOL information systems,” auditors wrote. “We identified and reported 16 findings in this report based on 45 notice of findings that we issued to DOL management.”

Auditors specifically noted deficiencies in “the performance of security control assessments, account management controls and maintenance of system security plans,” and made 18 recommendations related to those control deficiencies.

“DOL should also implement a process to determine if these recommendations apply to other information systems maintained in its FISMA inventory. Furthermore, the OCIO should implement robust monitoring capabilities to continually assess the security state of these systems to include a process to hold these agencies accountable for identified compliance gaps,” the audit states.

The audit also points out that while the Labor Department “showed some improvements” from a previous FISMA fiscal 2020 audit, “we remain concerned about the remaining corrections needed in the Office of Chief Information Officer’s oversight and accountability over the Department’s information security control environment.”

Auditors said Labor successfully closed 11 of 43 open FISMA audit-related recommendations dating back to 2018. OCIO generally agreed with the audit’s 18 recommendations and stated it “has addressed or has developed plans to address all recommendations.”