Report: DOL Information Security Needs Improvement

A yearly audit found that information security programs at the Department of Labor contain weaknesses, demonstrating the regulator failed to fully adhere to applicable Federal Information Security Management Act requirements and other guidance.

Professional services firm KPMG LLP conducted the audit and made three recommendations to strengthen the regulator’s information security program. It also found, “based on testing,” 38 prior-year recommendations were closed and 31 recommendations remained open, according to the “FY 2023 FISMA DOL Information Security Report: Making Improvements Toward an Effective Program.”

KPMG found that the DOL’s information security program did not fully adhere to applicable FISMA requirements, Office of Management and Budget policy and guidance, and National Institute of Standards and Technology standards and guidelines.

The “DOL’s system-level security policies have not been updated to comply with” these applicable standards and guidelines, Carolyn R. Hantz, the DOL’s assistant inspector general for audit, wrote in a letter accompanying the report.

The Federal Information Security Management Act was passed in 2002—as part of the Electronic Government Act—setting guidelines and security standards to protect government information and operations.

FISMA requires every federal agency to develop, document and implement agency-wide information security programs. 

• Perform system risk categorization of information systems, according to their risk levels, to ensure that sensitive information and high-value-asset systems are given the highest level of security. The categorization process considers the type of information contained in or processed by a system and determines what security controls are needed;
• Meet baseline security controls. Federal systems must meet minimum security requirements as outlined in the National Institute of Standards and Technology Security and Privacy Controls for Information Systems and Organizations Special Publication 800-53;
• Document the controls in the system security plan and maintain that documentation;
• Evaluate system risks regularly to validate current security controls and determine if additional controls are required;
• Conduct annual security reviews; and
• Implement continuous monitoring.

“We remain concerned that the prior-year finding of compliance with NIST SP 800-53, Rev. 5, remains outstanding,” Hantz wrote. “By not updating the department’s policies and procedures to be compliant, the Chief Information Officer is not taking necessary steps in mitigating IT risk for the department.”

Based on the issues identified, there are concerns from inside the DOL “about the remaining corrections needed in [office of the chief information officer]’s oversight and accountability over DOL’s information security control environment,” according to the Office of the Inspector General’s summary of the report.

KPMG noted further deficiencies in the development and implementation of supply chain risk management security controls, plan-of-action and milestone reviews, configuration management controls and the enforcement of rules of behavior acknowledgement.

“We are also concerned about the findings of unimplemented supply chain risk policies and undocumented configuration deviations, which diminish the Chief Information Officer’s ability to ensure the foundational steps to manage IT risk for the department are taken,” Hantz wrote.

KPMG reported seven findings for DOL’s information security program within two of five cybersecurity framework functions and four of nine FISMA metrics.   

A security program is considered effective if the calculated score of the Cybersecurity Framework Functions is rated at least Managed and Measurable (Level 4), the report stated.

The DOL’s office of the chief information officer “generally” concurred with KPMG’s findings, pledging to resolve each of the identified issues.

“All recommendations identified have been remediated or plan to be remediated in FY 2024,” the report summarized.

KPMG LLP conducted the audit on the DOL’s information security program for the period of October 1, 2022, through June 30, 2023.

A DOL representative did not return a request for comment on the report.