Verizon blew the whistle on itself in how it was protecting the data and systems at the General Services Administration.
That admission likely resulted in a smaller penalty from the Justice Department. Verizon agreed to pay just over $4 million to settle claims its Managed Trusted Internet Protocol Service (MTIPS), under the Trusted Internet Connections (TIC) initiative, failed to completely satisfy certain cybersecurity controls.
DOJ and the General Services Administration’s inspector general says in a release Verizon’s cyber protections fell short of requirements from October 2017 to August 2021.
During the almost four year span, Verizon failed to implement specific requirements under TIC 2.0, including domain name security extensions, real-time header and content capture for all inbound and outbound traffic and certain encryption requirements as required in Federal Information Processing 140-2 Standards.
“In 2020, Verizon proactively identified and disclosed to the GSA a potential issue with a managed security service that it sells to some federal government agencies,” said a company spokesman in an email to Federal News Network. “At no time did the potential issue that Verizon identified result in a security or data breach. The settlement announced today concludes that disclosure and reflects Verizon’s commitment to being a responsible government contractor.”
In the settlement, DOJ says Verizon initiated an independent investigation and compliance review, and provided the GSA OIG with written self-disclosures.
Verizon then remediated the problems, including firing the manager who had supervisory authority over the areas where issues occurred, and conducting a line-by-line review of its systems security plan and investing in governance, risk and compliance platforms to deliver automated compliance across MTIPS and other government internet boundaries.
Justice says Verizon received credit under its guidelines for making the disclosure, cooperating with the investigation and taking steps to remediate the problems.
Verizon manages MTIPS for about 15 agencies.
“When government contractors fail to follow required cybersecurity standards, they may jeopardize the security of sensitive government information and information systems,” said Deputy Assistant Attorney General Michael Granston of the Civil Division’s Commercial Litigation Branch in the release. “We will continue to pursue knowing cybersecurity related violations under the department’s Civil Cyber-Fraud Initiative and to provide credit in settlements to government contractors that disclose misconduct, cooperate with pending investigations and take remedial measures, all of which are critically important to protecting the nation against cyber threats.”
Experts say the technology and concepts that support MTIPS are being replaced by the new TIC 3.0 framework that the Cybersecurity and Infrastructure Security Agency rolled out last year.
The Office of Management and Budget created the MTIPS program as part of TIC in 2007 and it came to frustrate agencies, especially as remote work increased over the last few years. OMB updated TIC policy in 2019, giving agencies an easier path to use cloud services.