Identity verification systems that allow employees of the U.S. Department of Labor to access secure information systems are woefully lacking in security measures, according to DOL’s Office of the Inspector General.
A September 7 letter from DOL’s assistant inspector general for audit, obtained by Scribe through a Freedom of Information Act request, details “significant weaknesses” in the department’s PIV-II security program. PIV-II refers to measures taken to verify the identities of federal workers seeking access to secure information.
“Taken individually, these weaknesses are very serious,” the letter states. “Taken as a whole, their impact on the PIV-II security program places the Department at high risk for harm to infrastructure, systems, data, employees, contractors, and visitors.”
Among the most troubling weaknesses identified in the letter is the apparent ability of DOL employees to gain unauthorized access to information. More than 75% of the users examined, the letter states, “were granted system access privileges exceeding authorization.”
The list of weaknesses identified in the letter:
562 separated DOL employees held active PIV-II accounts after separation.
5 PIV-II system role-based users held active PIV-II accounts after separation.
PIV-II rate-based user accounts were not disabled after 60 days of inactivity. Of 223 PIV-II role-based user accounts, 125 were not accessed or disabled within the past 60 days.
The system did not lock out users after the third failed login attempt. The remediation for this issue was approved for closure by a third-party assessor last October.
28 of the 36 PlV-II role-based users tested were granted system access privileges exceeding authorization.
28 of 45 PIV-II role-based users have 2 or more roles that federal policy (FIPS 201-1) requires to be mutually exclusive, meaning that no single user should possess more than one of the following rates: (1) Sponsor, (2), Registrar, or (3) Issuer.
According to the letter, DOL has not implemented OIG recommendations made last year in a more extensive report on the PIV system.
The letter recommends that DOL “establish a prioritized corrective action plan” and “ensure the system owners receive the training that they need to meet their responsibilities.”
Read the full letter here: