Audit flags multiple concerns for Treasury's IT systems
The inspector general report documents a range of sloppy or incomplete IT practices for agency systems that support national security functions.
A new audit from the Department of Treasury’s Inspector General found a number of IT security flaws around the agency’s management of collateral national security systems.
The report documents a range of sloppy or incomplete IT security control practices for IT systems that support national security functions and run afoul of cybersecurity requirements detailed by the Federal Information Security Management Act and National Institute for Standards and Technology, as well as internal departmental guidance.
In an attached letter, Larissa Klimpel, director of the cyber and information technology audit team, said the audit demonstrated that substantial elements of Treasury’s information security program for collateral national security systems were “not effective.”
In particular, Treasury’s departmental offices and the Bureau of Engraving and Printing were singled out for a range of security failures, including not putting in place documented plans of action and milestones to address previously identified cybersecurity weaknesses. Overall, the entities failed to create or complete plans to define or implement dozens of security controls listed in their own plans for safely managing collateral national security systems.
“Lack of [plans of action and milestones] for identified weaknesses could lead to security weaknesses and vulnerabilities not being remediated in a timely manner, thereby increasing risk of unauthorized access, use and/or modification of…collateral system resources,” the report states.
Departmental offices also stopped conducting periodic reviews of privileged and non-privileged access controls to those systems, potentially leaving them vulnerable to being accessed by former employees or unauthorized users.
Additionally, a similar audit last year found that departmental offices did not patch and update software to fix identified vulnerabilities in a timely or consistent manner. That complaint remains open and auditors said the practice of delaying installation of critical security patches has continued in fiscal year 2018.
The government defines a national security system as any information system used or operated by an agency or contractor that involves intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapon system or is otherwise critical to the direct fulfillment of military or intelligence missions.
The audit does not specify which Treasury systems had deficient protocols, but the department is one of the 19 U.S. intelligence agencies and has several offices dedicated to producing, analyzing and pushing out intelligence around terrorism and financial crime. One of the components listed in the report, the Bureau of Engraving and Printing, prints and produces security documents for other departments and agencies.
The report, originally marked sensitive but unclassified, made nine recommendations to the department, most of which deal with instituting stricter documentation protocols and aligning security practices with FISMA and other federal guidance.
Treasury cited “competing priorities” and a lack of resources within departmental offices to explain their inability to address many of the problems listed in the report. In a letter, CIO Eric Olson concurred with all nine of the audit’s recommendations and pledged to have them all implemented by the summer of 2019.
“We acknowledge there are FISMA program areas defined in the draft report that require security improvement,” Olson wrote.