Years after a cybersecurity breach impacted its participants, IT and security updates have been slow to materialize at the Federal Retirement Thrift Investment Board (FRTIB), the agency that oversees and administers the Thrift Savings Plan.
The board still has a long way to go to comply with the Homeland Security Department’s metrics under the Federal Information Security Modernization Act (FISMA), according to a portion of the agency’s performance audit for fiscal 2016.
FISMA performance audits typically encompass metrics from three entities: the agency’s chief information officer, its senior privacy official and the organization’s inspector general.
Most agencies, including the FRTIB, have reported CIO and privacy officer results several times in the past, but the board conducted its first-ever FISMA inspector general audit in fiscal 2016.
FRTIB doesn’t have its own inspector general, so it must hire an independent auditor to conduct the IG review. Ernst and Young conducted the board’s first review last year.
To start, the board hasn’t yet implemented a personal identification verification (PIV) program for its users, though the FRTIB said it was on track to have two-factor authentication in place for all users by the end of the next quarter.
In addition, the agency hasn’t fully implemented a risk management strategy or procedures to continuously assess whether its security controls are working properly. This has been an ongoing project for the FRTIB, which said last year that it had many of the functions of the typical risk management office in place but not all of them.
The board also lacks a program to oversee the systems that its contractors run, and it doesn’t have a formal process in place to measure, report and monitor its contractors’ information security performance, the E&Y report said.
Continuous monitoring remains a challenge, as the board has yet to fully develop a program or finalize policy. The FRTIB also hasn’t established continuous monitoring training for its executives, Ernst and Young said. Training in general is another issue, because the board’s executives, IT administrators and managers haven’t received specialized security awareness and privacy coaching.
Finally, the board doesn’t have proper procedures to communicate with DHS when an incident occurs or policies to utilize the department’s EINSTEIN program, the report said.
E&Y acknowledged the board made some progress and will continue to this year. Not all of it is represented in its 2016 FISMA report.
“FRTIB continued and has continued since the closure of our audit work with strengthening the information security posture, controls and management practices,” said Wenner Lippner, principal at Ernst and Young at the board’s Feb. 27 meeting. E&Y reviewed four out of 19 FRTIB systems for its 2016 audit.
The board itself has acknowledged its own cybersecurity challenges. It studied private sector best practices last year and signaled that cybersecurity would be a major project for the agency in 2017.
These challenges aren’t unique to the FRTIB, but the agency did suffer a cyber breach back in 2012, when hackers accessed personal information for 123,000 TSP participants through one of the board’s contractors.
The board has received some criticism since then, from the Labor Department and Congress, for the sluggish progress it’s made in fixing its cybersecurity systems and responding to concerns from outside auditors.
In its 2015 audit of the TSP, Clifton Larson Allen identified the agency’s security program as one of two significant deficiencies. Auditors specifically pointed to FRTIB’s systems authorizations and continuous monitoring programs as areas that needed attention.
The board is also struggling to close audit recommendations. It closed four of 12 recommendations during the first quarter of fiscal 2017. It closed five of 63 recommendations during the previous quarter.
To date, FRTIB has 165 sub-recommendations open from external auditors. The Labor Department also issued five new recommendations and re-issued one other recommendation from the previous year.
“Obviously our audit closure rate is unacceptable,” said Greg Long, the board’s executive director.
The agency has been working through responses to 35 audits from fiscal 2016 and 2017, and it has 11 more to respond to this fiscal year, a point which Long said is causing a “significant amount of stress” in the organization.