The Labor Department’s chief information officer is on the defense in the wake of a watchdog report critical of her agency’s cybersecurity efforts.
In response to an Office of the Inspector General report highlighting Labor’s system vulnerabilities, CIO Dawn Leaf in a Aug. 14 letter expressed “concerns with the completeness and accuracy of the subject report.”
For example, auditors had said the department only began using personal identity verification, or PIV, cards following the Office of Personnel Management breach. However, Leaf said her department had been working to bolster its access control since 2011, with the creation of its Identity and Access Management program.
Labor management told auditors about these actions. Even so, access controls were cited as deficient in the report, which authors compiled from past audits in the wake of the OPM hacks.
Leaf also noted that Labor has made recent efforts to increase its standing in identity and access management — even surpassing U.S. CIO Tony Scott’s two-factor authentication use rate target of 75 percent, with 78 percent of general users and 80 percent of privileged users adopting it. Though, preliminary results of the cyber sprint from July 31 showed that Labor had only achieved 65 percent overall adoption, up from none in April. The agency has issued a corrective action plan to reach full compliance by the end of fiscal year 2015.
According to Leaf’s memo, Labor also made plans late in 2014 to use the General Services Administration’s USAccess shared PIV services and complete that migration within two years. The OIG was satisfied with that plan and classified the issue as “resolved, pending completion but bought it up again in this most recent report,” she wrote.
In other areas, like configuration management and third-party oversight, Leaf said the OIG doesn’t paint an accurate picture of Labor’s efforts to improve security. Still, she said, Labor will “redouble efforts in accordance with the recommendations.”
Meanwhile, the department continually faces budget cuts that make deploying information security controls difficult, and some of the struggles in the OIG audit don’t take that into account, Leaf wrote.
“Despite OMB’s recommendation to increase DOL IT Modernization funding in FY 2015, the budget received from Congress cut the IT Modernization budget by $4.1M from the FY 2014 Enacted level and $15.4 from the Department’s FY 2015 President’s budget request,” she wrote. “This lack of funding has directly impacted the ability of DOL to improve its IT security posture, including but not limited to the Identity Access Management project.”