Tuesday, November 21, 2023: US DOL Inspector General’s Office Announced Report Citing IT Modernization & Security Concerns
Another Report Earlier This Month Also Identified IT Security Challenges
The U.S. Department of Labor’s (“DOL”) Office of Inspector General (“OIG”) announced on X/Twitter a new Report, titled “Without an IT Modernization Framework, DOL Is Vulnerable to Inadequate Resource Prioritization for Ensuring Security and Availability of DOL Systems.” While the Report is dated November 17, the OIG did not announce it until last Tuesday. The OIG found that the DOL has not developed a formal IT modernization framework, that the DOL could improve elements of its existing process, and that these issues leave the department vulnerable to not prioritizing projects that it most needs to address.
What is IT Modernization?
The OIG explained that information technology (“IT”) modernization “refers to an organization’s efforts to prevent IT systems from becoming outdated, which can lead to poor performance and security concerns.” The DOL’s Chief Information Officer (“CIO”) has responsibility and oversight for over 65 major information systems as well as enterprise IT initiatives across the department. This responsibility includes overseeing the DOL’s efforts “to upgrade IT systems and to ensure that existing IT systems do not become outdated due to lifecycle, technical, or business reasons.”
What Did the OIG Find?
In the 18-page Report, the OIG found that:
“the Department has not developed a formal, documented IT modernization framework. While the CIO has developed several elements that could become part of an IT modernization framework, [the OIG] found those elements are not linked to one another nor documented as part of a larger, formalized process. The CIO’s reason for lack of a documented framework was to keep the approach dynamic. However, a documented framework would ensure consistency going forward rather than leaving DOL’s IT modernization efforts open to interpretation and subject to changes in personnel.
Also, [the OIG] found that at least two of the elements could be improved. First, the agency update documents that the CIO uses to monitor IT modernization projects are incomplete and also agency-curated, instead of being based on the full picture. Second, the inventory of IT systems used to prioritize IT modernization efforts is a spreadsheet that has to be manually updated and does not link to the other elements.
These issues lead to gaps in the CIO’s visibility of the current and future states of DOL’s IT modernization. As a result, DOL is vulnerable to spending valuable time and resources on IT projects that are not the highest priorities for ensuring the security and availability of vital DOL systems.”
Three Recommendations & Responses
As a result of its findings, the OIG made three recommendations:
- Document an IT modernization framework including the variety of connections between different elements and publish the information to ensure all Department personnel are aware of how it works. In response, the Office of the Chief Information Officer (“OCIO”) stated it has formalized an IT modernization scoring mechanism which was not yet in place at the time of the audit, and it will take further measures to publish a model that demonstrates the key elements and relationships involved in the process;
- Develop documents for IT modernization project discussions that ensure completeness of IT modernization efforts including new projects and enhancements to existing systems. The OCIO addressed this recommendation by stating that it will review and refine documents to ensure the completeness of IT modernization efforts including new projects and enhancements to existing systems;
- Implement a system/program to maintain an automated, real-time inventory of all Department systems and applications that enables prioritization of IT modernization. In response, the OCIO stated it will focus on maintaining an inventory of all programs and systems using IT discovery tools, which will be automated, although not necessarily “real-time,” to the extent possible within budget constraints.
Earlier Report on Management & Performance Challenges Also Raised IT Security Concerns
An earlier OIG Report on the DOL’s “Top Management and Performance Challenges,” dated November 15, 2023, also addressed data and IT concerns. The last three pages of the 45-page Report addressed “Managing and Securing Data and Information Systems.” There, the OIG concluded that:
“The Department continues to be challenged in securing and managing data and information systems, particularly in the following areas: (1) maintaining an effective information security program; (2) implementing, utilizing, and securing emerging technologies; and (3) governing a vast IT portfolio to meet DOL and its program agencies’ needs and expectations.”
The OIG then went on to discuss the security deficiencies it found in recent audits:
“We found DOL’s security program had deficiencies in maintaining policies and procedures to comply with current federal requirements, oversight reviews, configuration management, insufficient vulnerability testing, and contingency testing. Additionally, the Department was unable to close 31 of [the prior year recommendations that the OIG made pursuant to the Federal Information Security Modernization Act of 2014.] These deficiencies continue to hinder the Department in identifying security weaknesses; protecting its systems and data; and detecting, responding to, and recovering from incidents.
The Department will continue to be challenged to effectively implement, utilize, and secure new and emerging technologies, including artificial intelligence, advanced analytics, robotic process automation, quantum computing, low-code technology, and the Internet of Things [see here]. DOL struggles in its ability to implement new requirements into its IT practices and programs. The Department has not demonstrated the ability to effectively implement new standards for securing federal data and information systems, such as those applicable to zero trust architecture and supply chain.
…..
Ultimately, the Department faces key challenges in IT security and management that include protecting its IT systems from intrusion by external threats or being compromised by internal entities; securing and safeguarding its data and information systems, including administering endpoint security; managing its IT investment portfolio; and planning, acquiring, replacing, and upgrading IT infrastructure and systems. Further, we are still concerned the remaining systems and agencies that are not part of the IT Shared Services environment are not receiving the governance and oversight required to sufficiently secure all of DOL’s data and information systems.”
What Does DOL Need to Do?
The OIG noted that, while the DOL has made some progress:
“DOL needs to improve its governance and management over all of DOL agencies’ IT and systems. To improve the security of its information systems, the Department still needs to:
- Strengthen its oversight in implementing information security policies, procedures, and controls.
- Improve its continuous monitoring program.
- Focus on recurring information security deficiencies.
- Implement required information system security standards.
- Ensure the implementation of security requirements with its third-party cloud systems and IT services.
- Plan for emerging cybersecurity enhancements, such as zero trust architecture.
To improve the management of its information systems, while having implemented a shared services model within the Office of the Assistant Secretary for Administration and Management for its information technology, the Department needs to:
- Incorporate the remaining information systems into DOL’s IT Shared Services model.
- Elevate the CIO’s position to report directly to the Secretary of Labor so the CIO has the necessary authority, independence, and accountability to govern the Department’s IT resources.”
For more background on the DOL OIG, see our recent report here and the DE Under 3 segment here.