The Department of Labor didn’t properly report cybersecurity incidents containing personally identifiable information to the federal emergency response team, the agency inspector general found in its annual review of DoL cybersecurity practices.
On top of that, the IG found several instances where databases containing PII didn’t have encryption capabilities turned on.
“DOL management did not prioritize reporting incidents, including PII incidents, to US-CERT [Computer Emergency Readiness Team] and DOL Computer Security Incident Response Capability (DOLCSIRC) in a timely manner,” the IG wrote in the report released Dec. 23. “Failure to report PII security incidents to appropriate incident reporting capabilities in a timely manner could expose DOL to unnecessary reputational risks.”
Under guidance from the National Institute of Standards and Technology, a Commerce Department entity that sets cybersecurity best practices, organizations are told to report security incidents to response teams inside a time frame set by the entity.
“Incident reporting control owners failed to follow proper procedures due to management oversight, and they failed to report the incidents in a timely manner to US-CERT,” the IG wrote.
In response, the CIO’s office said that its policies required it to report incidents to US-CERT within an hour and of the 317 incidents it reported, 301 were within that window. “Most” of those remaining were reported within three hours, with the longest delay clocking in at three days, the CIO’s office wrote in response. The report didn’t go into specific detail about the breaches.
“We believe when examined in total that the DoL incident reporting program, while not perfect, is certainly operating at an acceptable level and that while the few deficiencies are fairly noted, they do not rise to the level of a reportable finding,” the CIO officials wrote.
The IG report, mandated by the Federal Information Security Modernization Act of 2014, found several other cybersecurity shortfalls that hampered Labor’s cybersecurity improvement efforts in fiscal 2019. Aside from the failure to report breaches in a timely fashion, the IG found that Labor didn’t have performance metrics to evaluate different aspects of their cybersecurity posture in several areas.
Labor didn’t implement performance metrics for risk management, configuration management, identity and access management, and contingency planning.
Without proper performance metrics the agency risks implementing ineffective controls that could harm the integrity of Labor’s data, lead to data loss or a failure to detect unauthorized access, the IG wrote.
The IG found that the department didn’t implement necessary tools in specific network areas to protect itself against cyber incidents. In the areas of risk management, configuration management, and identity and access controls, Labor didn’t improve its scores because of a failure to implement available cybersecurity tools.
“DOL’s Office of Chief Information Officer (OCIO) was unable to provide timelines and plans for any of the information security tools that were not fully implemented, indicating the utilization of these tools was not properly managed,” the IG wrote.
The CIO’s office also poorly evaluated its own performance. Department management evaluate themselves on the 59 metrics and then compare with the inspector general. The IG and management didn’t agree on the score in 36 of the 59 areas.
“The better the accuracy of OCIO’s self-assessment, the more effective OCIO will be at addressing unresolved issues in other domain areas,” the IG wrote.
There is some good news in the report for the agency. Just three out of the 59 evaluated metrics trended down, while 21 trended up from FY18 to FY19. The other 35 remained the same. The department’s most successful category was security training, which was responsible for six of the 21 upward trending scores.
The risk management category contained several differences between the IG and management — they disagreed on eight of 12 metrics. While the IG found that the department had implemented a risk management program, it hadn’t established a plan to evaluate if it was effective.
“Management did not prioritize implementation of risk management metrics and performance monitoring to effectively manage and measure its risk management program, nor did they implement the tools they identified to support risk management tasks,” the IG wrote. “Management also did not monitor that programs were maintaining appropriate documentation in order to demonstrate effective operation for several risk management control areas.”
To improve, the inspector general made 20 recommendations regarding intrusion detection, implementation of access control technologies, implementing metrics and controls, and updating strategies. The department “generally” agreed with the findings.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.