AbilityOne Commission needs stronger cyber controls, IG says

An inspector general’s report has found the federal agency that employs more than 46,000 workers with disabilities continues to have systematic weaknesses in its cybersecurity.

The report, which was conducted in partnership with auditing firm McConnell & Jones LLP, found the AbilityOne Commission’s cyber posture fell short of Federal Information Security Management Act, or FISMA, reporting compliance.

The IG said the commission — which employs disabled workers to provide products and services to federal agencies — has continued to make strides in improving its cybersecurity, but investigators found 11 areas in which it fell short of the 2002 law’s requirements.

The report found that the commission was deficient in areas such as monthly vulnerability scanning, security assessment and authorization, termination of former or transferred employees’ system access, contingency and response training, and continuous monitoring performance, among other issues.

The report credited much of the shortfalls to a lack of personnel, budget or time constraints, but the IG offered 29 recommendations on how to remediate the problems.

The AbilityOne Commission concurred with or promised to address the many of the reporting recommendations offered by the IG, taking issue only with physical and environmental control recommendations in the report.

The AbilityOne Commission said they had resolved some of the recommendations and would address the remainder by various dates in 2018.