Commerce neglects its IT security workforce: inspector general

The Commerce Department has failed to take the basic steps to develop its workforce that oversees the security of the department’s information technology systems, a newly posted report states.

The department’s management has not devoted enough attention and resources to training its IT security workers, according to an audit by the department’s inspector general. The audit, dated Sept. 30, said officials haven’t assigned who’s accountable for what IT security systems and many of Commerce's IT security officers don’t have the required security clearances. Without that clearance, the officers may be kept from getting the full extent of a cyber attack because they aren’t privy to the information, the report states.

“As a result, Commerce is at risk of not being satisfactorily prepared to protect its IT assets and information,” wrote Brett Baker, the assistant IG for audit.

The report recommends greater professional development and role-based training for IT security employees, especially those with significant responsibilities. Officials also should formally document officers' duties, and they should set specific security clearances with particular IT positions and responsibilities, the report recommends.

In response, the department said the audit report overstates the security clearance issue, because not all security officers, such as those working at the operational level, need the top-secret clearances.

Commerce has more than 300 IT systems, and 32 of them are high-impact systems. A system is considered high impact if a hacker could breach a system and unveil confidential government data or could impair the department’s operations and compromise its assets.

Baker wrote, “We are particularly concerned with the weaknesses found among the IT security workforce responsible for high-impact systems, because a security breach would have a severe impact on these systems.”

Cyber threats are a moving target, and they are increasing in number and sophistication almost daily, the report states. To meet those realities, the IT security program needs professionals with appropriate skills and experience to implement the required security controls and recognize emerging threats, according to the report.

Commerce officials said the National Institute of Science and Technology already has a leadership role on the Federal Chief Information Officer Council, as a member of the IT workforce committee. On that committee, its representatives can confront the governmentwide problem of developing a workforce with greater understanding of IT system security.