El S
department
of
Labor
sFP
-
7
Z~~z
Office
of
Inspector
General
~~ENF
oa
Washington, D.C.
20210
Q~~
`*e~
~
~h
T~~sT~
es
o<
~~~4
T.
MICHAEL
KERR
Chief
nformation
officer
t
.
ELLI~T
P.
LEWlS
Assistant inspector
General
for
Audit
SUBJECT.
Alert
Memorandum:
DOL
eeds
a
Take
immediate
Action
to
Correct
Security
Weaknesses
n
the
PIV
f
System,
Report
Number
23-
12-
OQ9
-07
-001
The
purpose
of
his
memorandum
s
to
inform
you
of
significant
weaknesses
n
the
PIV
II
security
program.
The
importance
of
the
PIV
if
system cannot
bE
understated
because
t
protee~s
DQL's
nfrastructure,
including
data,
other
systems,
and
p~opfe,
from
potential
harm
caused by
unauthorized
access.
Overall,
we
elieve
C)ASAM's
xecutive
management
id
not
adequate{y
engage
ir
the
ecurity
of
the
PIV
IE
system.
This
ack
of
engagement
by
OASAM s
high
-
ranking
executives
is
in
direct
apposition to
NEST
guidelines
and
a sa
trickled
dawn
to
those
who
awned,
perated,
and
monitored
the
PIV
-I
system
and
operations,
causing
deficient
system
security. Specifically,
OASAM
executive
management
assigned
a
system
owner
without
the
educational or
work
experience
necessary
o
properly
oversee
ecurity for
the
PfV
ii
system.
Qur
esting
identified
severe
cantrof
weaknesses
n
the
fallowing
areas:
account
management,
ystem
login,
system
privileges
and
agreements,
system
security
assessments,
ystem
training,
contingency
planning,
system
security
plan,
system
rules
of behavior,
and
configuration
rnanagemertt.
For
example,
we
found:
562
separated
DaL
mp{oyees
held
active
P V
II
accounts
after
separation,
IV
fl
system
rote
-based
users
held
active
PEV
EI
accounts
after
separation.
PIV
II
rate
-based
user
accounts
were
not
disab{ed
after
~
ays
of
inactivity
Of
223
P V
II
role
-based
user accounts,
125
were
not
accessed
ar disabled
within
-the
past
6
ays.
t~orking
fvr
tnericc~ s
Workff~rce
The
system
did
not
ock
out users
fter
the
Third
failed
iagin
attempt.
The
remediation
far
this
issue
was
approved
ar
cEosure
by
a
hird
-party
assessor
East (.?ctaber.
28
f
the
36
PlV
-I
rote
-based
users
tested
were
ranted
system
access
privileges
exceeding
authorization.
28
f
45
TV
-f
role
-based
users
have
r
more
oles
that federal
paficy
(PIPS
201
-1)
equires to
be
mutually exclusive,
meaning
hat
no
ingle
user
should
possess
more
han
one
of
he
following
rates:
(1)
ponsor,
2}
Registrar,
or
(3)
ssuer.
We
lso
expressed
concerns
ith
the
P V
-If
system
n
our
March
31,
2011,
eport
(04
-11-
001-07
-001),
"The
Department eou(d
Do
More
o
Strengthen
Controls
Ouer
ts
Personal
dentity Verification
System."
n this
report,
we
dentifred
issues
refaced
to
the implementation
of
management,
perational,
ar~d
technical
corttrois
aver the
P(V
-EI
system.
As
a
esult,
we made
ecommendations
elated tQ
employee
Eigibility
for
PIV
ards,
as
ell
recommendations
or
~'EV
card
issuance
and
revocation.
These
recommendations
have
not
been
closed
or
implemented.
Taken
individually,
these
weaknesses
re
very
serious.
Taken
as
a
whale,
heir
impact
on
the
PIV
-tl
security
program
places the
Department
t
a
~igh
risk
for
harm
o
infrastructure,
systems,
ata,
employees,
ontractors,
and
visitors.
Tf~erefore,
we
onsider
these
weaknesses
a
ignificant
deficiency,
and
a
material
weakness,
as
efined
by
OMB
emoraneium
M
-11
-33
and
A
-123
revise.
Within
5
ays
f
receipt
of
this
memorandum,
we
ecommend
the
CIC)
stablish
a
prioritized
corrective
action
plan, including
milestones,
that
details
a
trategy to
reduce
r
eliminate
the
risks
we
dentified.
We
lso
recommend
that
the
CIO
ensure
he
system
owners
eceive
the
raining
hat
they
need
to
meet
heirresponsibilities.
This
memorandum
contains
sensitive
inforrnatian
and
s
restricted
to
a~cial use.
f
should only
be
istributed
to
individuals
with
a
egitimate
"need
to
know."
Recipients
of
his
report
are
not
authorized to
distribute
or
release
it
without
the
express
permission of
the
}IG.
[f
you
have
any
questions,
please
contact
Keith
E,
Galayda,
udit
Director,
at
(202}
693
-5259.