El.S.

department of Labor

Office of Inspector General Washington, D.C. 20210

~~ENF oa Q~~ `*e~ ~ ~h

~~~4

T~~sT~ res o<

sFP - 7 Z~~z
T. MICHAEL KERR Chief Information officer

t= ~
ELLI~T P. LEWlS Assistant inspector General for Audit SUBJECT.

Alert Memorandum: DOL Needs fa Take immediate Action to Correct Security Weaknesses in the PIV-Ef System, Report Number 23-12-OQ9-07-001

The purpose of this memorandum is to inform you of significant weaknesses in the PIV-II security program. The importance of the PIV-if system cannot bE understated because it protee~s DQL's infrastructure, including data, other systems, and p~opfe, from potential harm caused by unauthorized access. Overall, we believe C)ASAM's executive management did not adequate{y engage ire the security of the PIV-IE system. This lack of engagement by OASAM's high-ranking executives is in direct apposition to NEST guidelines and a(sa trickled dawn to those who awned, operated, and monitored the PIV-I! system and operations, causing deficient system security. Specifically, OASAM executive management assigned a system owner without the educational or work experience necessary to properly oversee security for the PfV-ii system. Qur testing identified severe cantrof weaknesses in the fallowing areas: account management, system login, system privileges and agreements, system security assessments, system training, contingency planning, system security plan, system rules of behavior, and -configuration rnanagemertt. For example, we found: 562 separated DaL emp{oyees held active P!V-II accounts after separation, 5 PIV-fl system rote-based users held active PEV-EI accounts after separation. PIV-II rate-based user accounts were not disab{ed after ~0 days of inactivity. Of 223 P!V-II role-based user accounts, 125 were not accessed ar disabled within-the past 60 days.

t~orking fvr Atnericc~'s Workff~rce

The system did not lock out users after the Third failed iagin attempt. The remediation far this issue was approved far cEosure by a third-party assessor East (.?ctaber. 28 of the 36 PlV-I( rote-based users tested were granted system access privileges exceeding authorization. 28 of 45 PTV-f l role-based users have 2 or more roles that federal paficy (PIPS 201-1) requires to be mutually exclusive, meaning that no single user should possess more than one of the following rates:(1) Sponsor,(2} Registrar, or (3) issuer. We also expressed concerns with the P!V-If system in our March 31, 2011, report (04-11-001-07-001),"The Department eou(d Do More to Strengthen Controls Ouer Its Personal Identity Verification System." fn this report, we identifred issues refaced to the implementation of management, operational, ar~d technical corttrois aver the P(V-EI system. As a result, we made recommendations related tQ employee eEigibility for PIV cards, as well recommendations for ~'EV card issuance and revocation. These recommendations have not been closed or implemented. Taken individually, these weaknesses are very serious. Taken as a whale, their impact on the PIV-tl security program places the Department at a F~igh risk for harm to infrastructure, systems, data, employees, contractors, and visitors. Tf~erefore, we consider these weaknesses a significant deficiency, and a material weakness, as defined by OMB Memoraneium M-11-33 and A-123 revise. Within 5 days of receipt of this memorandum, we recommend the CIC) establish a prioritized corrective action plan, including milestones, that details a strategy to reduce or eliminate the risks we identified. We also recommend that the CIO ensure the system owners receive the training #hat they need to meet their responsibilities. This memorandum contains sensitive inforrnatian and is restricted to a~cial use. If should only be distributed to individuals with a legitimate "need to know." Recipients of this report are not authorized to distribute or release it without the express permission of the C}IG. [f you have any questions, please contact Keith E, Galayda, Audit Director, at (202} 693-5259.