Employees of a foreign IT subcontractor had unauthorized access to sensitive data on a Department of Commerce document management system, and the department mishandled some aspects of the response, according to Commerce’s Office of the Inspector General.
As the Canada-based subcontractor was helping Salient Crgt, Inc. build the Enterprise Web Solutions (EWS) system from 2014 onward, the department sent the subcontractor thousands of high-level documents and gave workers remote administrative access to the system, the OIG report says. The subcontractor’s employees were “unvetted foreign nationals” who didn’t meet the contract requirements to work for the department, the OIG says.
The OIG says it briefed the department’s acting CIO in April 2019 about the data exposure, and Commerce “incident responders” did take the appropriate steps of reporting the case to the Department of Homeland Security. Commerce officials erred, however, because they didn’t consider another set of criteria that applied to the case.
The department should have considered Office of Management and Budget rules “regarding harm to foreign relations and the national economy that was posed by the release of sensitive trade and foreign relations data to unvetted foreign nationals based in a country with which the U.S. government was negotiating.” At that point, Commerce was part of the negotiations on new North American trade rules that included Canada.
EWS is based at Commerce headquarters in Washington and handles documents such as official correspondence between top officials at the department; notifications that are sent to state and congressional leaders about department grants; and the secretary of Commerce’s briefing book — a repository of resources and information, some of it related to “sensitive issues related to trade and foreign relations.”
The OIG recommendations include additional reviews of who has access to Commerce systems, and reviews of how the department responds to such data exposures in the future.
The department’s acting CIO, André Mendes, responded to the OIG report with a letter saying the Office of the Secretary “generally concurs” with the audit’s findings. The office made suggestions about the draft of the report that it saw during 2019, and those comments are reflected in the final version issued this week, the OIG says.
The briefing documents in question were all from previous Commerce Secretary Penny Pritzker, according to the report.