• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Watchdog Warns of "Very Serious" Cybersecurity Failures at DOL

    Identity verification systems that allow employees of the U.S. Department of Labor to access secure information systems are woefully lacking in security measures, according to DOL’s Office of the Inspector General.

    A September 7 letter from DOL’s assistant inspector general for audit, obtained by Scribe through a Freedom of Information Act request, details “significant weaknesses” in the department’s PIV-II security program. PIV-II refers to measures taken to verify the identities of federal workers seeking access to secure information.

    “Taken individually, these weaknesses are very serious,” the letter states. “Taken as a whole, their impact on the PIV-II security program places the Department at high risk for harm to infrastructure, systems, data, employees, contractors, and visitors.”

    Among the most troubling weaknesses identified in the letter is the apparent ability of DOL employees to gain unauthorized access to information. More than 75% of the users examined, the letter states, “were granted system access privileges exceeding authorization.”

    The list of weaknesses identified in the letter:

    562 separated DOL employees held active PIV-II accounts after separation.

    5 PIV-II system role-based users held active PIV-II accounts after separation.

    PIV-II rate-based user accounts were not disabled after 60 days of inactivity. Of 223 PIV-II role-based user accounts, 125 were not accessed or disabled within the past 60 days.

    The system did not lock out users after the third failed login attempt. The remediation for this issue was approved for closure by a third-party assessor last October.

    28 of the 36 PlV-II role-based users tested were granted system access privileges exceeding authorization.

    28 of 45 PIV-II role-based users have 2 or more roles that federal policy (FIPS 201-1) requires to be mutually exclusive, meaning that no single user should possess more than one of the following rates: (1) Sponsor, (2), Registrar, or (3) Issuer.

    According to the letter, DOL has not implemented OIG recommendations made last year in a more extensive report on the PIV system.

    The letter recommends that DOL “establish a prioritized corrective action plan” and “ensure the system owners receive the training that they need to meet their responsibilities.”

    Read the full letter here:

    Posted in Ongoing Priorities, Scribe [slideshow_deploy]

    Comments are closed.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.

    ×