El S
department
of
Labor
sFP 
-
7 
Z~~z
Office
of 
Inspector
General
~~ENF 
oa
Washington, D.C. 
20210 
Q~~
`*e~
~ 
~h
T~~sT~
es
o<
~~~4
T.
MICHAEL 
KERR
Chief 
nformation 
officer
t 
.
ELLI~T 
P. 
LEWlS
Assistant inspector 
General
for 
Audit
SUBJECT. 
Alert
Memorandum: 
DOL 
eeds 
a 
Take 
immediate
Action 
to 
Correct
Security
Weaknesses 
n
the 
PIV
 f
System,
Report 
Number 
23-
12-
OQ9
-07
-001
The
purpose 
of 
his
memorandum 
s 
to 
inform 
you 
of 
significant
weaknesses
n
the 
PIV
 II
security 
program. 
The 
importance 
of 
the 
PIV
 if 
system cannot 
bE
understated
because 
t
protee~s 
DQL's
nfrastructure,
including 
data,
other
systems,
and 
p~opfe,
from 
potential 
harm 
caused by 
unauthorized 
access.
Overall, 
we 
elieve
C)ASAM's 
xecutive 
management
id 
not 
adequate{y
engage
ir 
the 
ecurity 
of
the
PIV
 IE
system. 
This 
ack
of
engagement 
by 
OASAM s
high
-
ranking 
executives 
is 
in 
direct 
apposition to 
NEST
guidelines
and 
a sa
trickled
dawn
to
those 
who
awned, 
perated, 
and 
monitored
the 
PIV
-I 
system
and 
operations, 
causing 
deficient
system 
security. Specifically,
OASAM
executive 
management 
assigned
a 
system 
owner 
without 
the 
educational or
work
experience 
necessary 
o 
properly 
oversee
ecurity for 
the 
PfV
 ii 
system.
Qur 
esting 
identified
severe 
cantrof 
weaknesses 
n
the 
fallowing
areas:
account
management, 
ystem 
login,
system 
privileges 
and 
agreements,
system 
security
assessments,
ystem
training, 
contingency 
planning, 
system
security 
plan,
system 
rules 
of behavior, 
and 
configuration
rnanagemertt.
For
example, 
we
found:
562 
separated
DaL 
mp{oyees 
held
active 
P V
 II
accounts 
after
separation,
 
IV
 fl
system 
rote
-based 
users 
held
active 
PEV
 EI
accounts
after
separation.
PIV
 II
rate
-based
user
accounts 
were
not 
disab{ed 
after
~ 
ays 
of
inactivity
Of 
223
P V
 II 
role
-based
user accounts, 
125 
were 
not 
accessed
ar disabled 
within
-the
past
6 
ays.
t~orking 
fvr
tnericc~ s 
Workff~rce
 
The
system
did
not
ock
out users
fter
the
Third
failed
iagin
attempt.
The
remediation
far
this
issue
was
approved
ar
cEosure
by
a
hird
-party
assessor
East (.?ctaber.
28
f
the
36
PlV
-I
rote
-based
users
tested
were
ranted
system
access
privileges
exceeding
authorization.
28
f
45
TV
-f
role
-based
users
have
r
more
oles
that federal
paficy
(PIPS
201
-1)
equires to
be
mutually exclusive,
meaning
hat
no
ingle
user
should
possess
more
han
one
of
he
following
rates:
(1)
ponsor,
2}
Registrar,
or
(3)
ssuer.
We
lso
expressed
concerns
ith
the
P V
-If
system
n
our
March
31,
2011,
eport
(04
-11-
001-07
-001),
"The
Department eou(d
Do
More
o
Strengthen
Controls
Ouer
ts
Personal
dentity Verification
System."
n this
report,
we
dentifred
issues
refaced
to
the implementation
of
management,
perational,
ar~d
technical
corttrois
aver the
P(V
-EI
system.
As
a
esult,
we made
ecommendations
elated tQ
employee
Eigibility
for
PIV
ards,
as
ell
recommendations
or
~'EV
card
issuance
and
revocation.
These
recommendations
have
not
been
closed
or
implemented.
Taken
individually,
these
weaknesses
re
very
serious.
Taken
as
a
whale,
heir
impact
on
the
PIV
-tl
security
program
places the
Department
t
a
~igh
risk
for
harm
o
infrastructure,
systems,
ata,
employees,
ontractors,
and
visitors.
Tf~erefore,
we
onsider
these
weaknesses
a
ignificant
deficiency,
and
a
material
weakness,
as
efined
by
OMB
emoraneium
M
-11
-33
and
A
-123
revise.
Within
5
ays
f
receipt
of
this
memorandum,
we
ecommend
the
CIC)
stablish
a
prioritized
corrective
action
plan, including
milestones,
that
details
a
trategy to
reduce
r
eliminate
the
risks
we
dentified.
We
lso
recommend
that
the
CIO
ensure
he
system
owners
eceive
the
raining
hat
they
need
to
meet
heirresponsibilities.
This
memorandum
contains
sensitive
inforrnatian
and
s
restricted
to
a~cial use.
 f
should only
be
istributed
to
individuals
with
a
egitimate
"need
to
know."
Recipients
of
his
report
are
not
authorized to
distribute
or
release
it
without
the
express
permission of
the
}IG.
[f
you
have
any
questions,
please
contact
Keith
E,
Galayda,
udit
Director,
at
(202}
693
-5259.
View on Scribd