Tech

Foreign IT subcontractor had improper access to Commerce system, audit says

Commerce sent sensitive data from a document management system to a Canada-based subcontractor with "unvetted foreign nationals," according to a new IG report.

By Joe Warminsky

February 13, 2020

(Getty Images)

Employees of a foreign IT subcontractor had unauthorized access to sensitive data on a Department of Commerce document management system, and the department mishandled some aspects of the response, according to Commerce’s Office of the Inspector General.

As the Canada-based subcontractor was helping Salient Crgt, Inc. build the Enterprise Web Solutions (EWS) system from 2014 onward, the department sent the subcontractor thousands of high-level documents and gave workers remote administrative access to the system, the OIG report says. The subcontractor’s employees were “unvetted foreign nationals” who didn’t meet the contract requirements to work for the department, the OIG says.

The OIG says it briefed the department’s acting CIO in April 2019 about the data exposure, and Commerce “incident responders” did take the appropriate steps of reporting the case to the Department of Homeland Security. Commerce officials erred, however, because they didn’t consider another set of criteria that applied to the case.

The department should have considered Office of Management and Budget rules “regarding harm to foreign relations and the national economy that was posed by the release of sensitive trade and foreign relations data to unvetted foreign nationals based in a country with which the U.S. government was negotiating.” At that point, Commerce was part of the negotiations on new North American trade rules that included Canada.

EWS is based at Commerce headquarters in Washington and handles documents such as official correspondence between top officials at the department; notifications that are sent to state and congressional leaders about department grants; and the secretary of Commerce’s briefing book — a repository of resources and information, some of it related to “sensitive issues related to trade and foreign relations.”

The OIG recommendations include additional reviews of who has access to Commerce systems, and reviews of how the department responds to such data exposures in the future.

The department’s acting CIO, André Mendes, responded to the OIG report with a letter saying the Office of the Secretary “generally concurs” with the audit’s findings. The office made suggestions about the draft of the report that it saw during 2019, and those comments are reflected in the final version issued this week, the OIG says.

The briefing documents in question were all from previous Commerce Secretary Penny Pritzker, according to the report.

Foreign IT subcontractor had improper access to Commerce system, audit says

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

Commerce requests information about AI, open data assets, data dissemination

Top Stories

Security flaws in IRS systems pose risk to financial statements, GAO says

DOJ seeks public input on AI use in criminal justice system

DHS picks OMB official to lead its new AI Corps

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

GSA taps Login.gov deputy director to take top role next month

Scientists must be empowered — not replaced — by AI, report to White House argues

404 page: the error sites of federal agencies

White House hopeful ‘more maturity’ of data collection will improve AI inventories

More Scoops

NTIA calls for independent audits of AI systems in new accountability report

Commerce proposes rule aimed at protecting cloud services from foreign cyber threats

Commerce Secretary Raimondo: NIST AI framework is ‘gold standard’

Commerce’s Office of the Secretary used default passwords for endpoint detection

Gerald Caron leaves HHS to become CIO at International Trade Administration

DOJ agrees to prevent AlphaDetective AI software from falling into foreign adversaries’ hands

State Department watchdog finds major issues with agency geospatial data compliance

Latest Podcasts

Foreign IT subcontractor had improper access to Commerce system, audit says

GSA’s Login.gov platform gets a new director

DOD’s Ashley Elizabeth Evans on effectively implementing AI

DHS’ Chris Kraft on emerging trends in AI and automation

Tech

Defense

Cyber

Acquisition