The federal agency responsible for investigating chemical spills has no plan to ensure its staff are using an encrypted smartcard as a “second factor” in addition to a password to log on to government networks, according to a new watchdog report.
While the Chemical Safety Board said its laptops and desktops have readers for the cards, known as personal identification verification — or PIV — cards, and that staff can use plug-in USB PIV readers, the agency does not have a formal plan for implementing PIV for logical access. The agency said it is still investigating the risks of such program, particularly with regard to inspectors in the field.
The annual report — released Wednesday and compiled by the Environmental Protection Agency’s inspector general, who also acts as the IG of the chemical board — is required by the Federal Information Security Management Act.
Auditors also found the board didn’t have specialized training requirement policies fully established, and it didn’t have an inventory for systems managed by other agencies or contractors, or assurances that they were properly protected.
“As such, questions exist as to whether CSB is doing all it can to protect the confidentiality, integrity and availability of information technology resources and stored data,” the report said.
In a response letter included in the report, board Chairwoman Vanessa Allen Sutherland said the agency had planned for logical access with PIV credentials — but hadn’t implemented it. She also added that her organization will work to add systems operated by other agencies to its system security plan and obtain supporting documents regarding the servicing agency’s security controls.
Implementing multifactor authentication, using PIV cards, was a key piece in the administration’s cybersecurity sprint following the hack to the Office of Personnel Management’s systems.
“One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication,” wrote U.S. CIO Tony Scott in a blog post laying out the results of the cyber sprint.
The news was first reported by NextGov.