The Department of Labor’s Office of Inspector General (OIG) said the agency needs to improve in two key legislative areas related to IT management, according to OIG’s semiannual report released Tuesday and covering October 2017 through March 2018.
First, OIG found that Labor does not have an effective information security program, as required by the Federal Information Security Modernization Act (FISMA) of 2014.
The lack of a strong cybersecurity posture, as OIG noted in its November 2016 FISMA Report and reiterated Tuesday, has much to do with Labor’s chief information officer not reporting to the agency’s secretary. The agency scored an F in the FISMA preview of the recently-released FITARA scorecard, and was docked a letter grade for its CIO reporting structure.
OIG contracted consulting firm KPMG to conduct an independent evaluation, and the firm flagged 33 findings across the security controls areas of identity and access management, configuration management, contingency planning, and incident response. OIG said it has reported similar deficiencies over the past ten years.
“DOL’s inability to correct these deficiencies stems, in part, from the positioning of the chief information officer within a program agency,” the report states. “The Assistant Secretary for Administration and Management needs to realign the organizational structure as it relates to the CIO to address this organizational independence issue.”
Second, OIG found that Labor needs to improve its data submitted under the Digital Accountability and Transparency (DATA) Act of 2014, which ensures proper accountability in agency spending.
While DoL is complying with the government-wide standards for data submission, it’s the data itself that is flawed, OIG said. Due to control deficiencies, 74 percent of the transactions OIG sampled contained an error in one or more data elements. Data elements were missing in 19 percent of the transactions.
While several errors were caused by the Treasury Department’s data extraction process, 52 percent of the transactions still contained inaccurate information when those extraction errors were excluded.
OIG said the inaccuracies stemmed from manual data entry mistakes and weak validation processes, among other reasons.
