Watchdog rips IT management at Secret Service
A follow-up report on the leak of Rep. Jason Chaffetz's old job application data at the Secret Service finds nagging holes in the agency's management of personal data and IT.
Rep. Jason Chaffetz (R-Utah) wants the Secret Service to relinquish authority over cybersecurity investigations in the wake of a critical watchdog report.
The Secret Service's IT management is troubling, according to a report from the Department of Homeland Security's Office of Inspector General.
The report is a follow-up to an audit conducted in 2015 after the discovery that dozens of Secret Service employees had accessed a 2003 job application submitted by Rep. Jason Chaffetz (R-Utah) without authorization.
Chaffetz did not get the job at the Secret Service, but as chairman of the House Oversight and Government Reform Committee, he now has some say in the agency's oversight.
"The Secret Service believes they have a core mission to protect the nation's financial infrastructure from cyber-related crimes, yet can't keep their own systems secure," Chaffetz said in an Oct. 14 statement in response to the report. "Despite past warnings, [the Secret Service] is still unable to assure us their IT systems are safe."
Chaffetz wants the agency's cybersecurity responsibilities moved elsewhere. "They lack the right personnel to do the job, and senior leadership isn't accountable," he said.
An OIG investigation in 2015 found that 45 Secret Service agents had used an internal email system to distribute a screenshot of a database record that contained Chaffetz's personally identifiable information, including Social Security number and date of birth. The information was also leaked to two media outlets.
The latest report concludes that the agency has not adequately protected the data in case management systems and that IT management poses persistent problems.
The report calls the agency's IT management "ineffective" and cites scant security plans, systems with expired authorities to operate, insufficient access and audit controls, noncompliant logical access requirements, and inadequate privacy protections.
IT management at the agency had not been a priority, the report states. In addition, its CIO did not have authority over all IT resources and was not positioned to provide adequate oversight of systems agencywide.
The Secret Service also lagged in updating IT policy to reflect current processes and was plagued with high turnover and vacancies in the CIO's office.
The OIG said the Secret Service moved to right the situation in late 2015 by centralizing all IT resources under a full-time CIO and drafting plans to improve IT governance. The OIG added that it told the Secret Service as far back as 2013 that it needed to give the CIO agencywide authority over the IT budget and investment review.
In addition, the Secret Service has attempted to clean up its recordkeeping practices. The agency held onto some personnel data, such as job applications, for decades when a five-year retention period would have sufficed, the report states.
However, the OIG said that until those changes are fully implemented, the agency's systems and data will remain vulnerable to unauthorized access and leaks.
Chaffetz has asked the OIG to conduct further inquiries into the Secret Service's mishandling of personally identifiable information.