A new audit from the Department of Treasury’s Inspector General found a number of IT security flaws around the agency’s management of collateral national security systems.
The report documents a range of sloppy or incomplete IT security control practices for IT systems that support national security functions and run afoul of cybersecurity requirements detailed by the Federal Information Security Management Act and National Institute for Standards and Technology, as well as internal departmental guidance.
In an attached letter, Larissa Klimpel, director of the cyber and information technology audit team, said the audit demonstrated that substantial elements of Treasury’s information security program for collateral national security systems were “not effective.”
In particular, Treasury’s departmental offices and the Bureau of Engraving and Printing were singled out for a range of security failures, including not putting in place documented plans of action and milestones to address previously identified cybersecurity weaknesses. Overall, the entities failed to create or complete plans to define or implement dozens of security controls listed in their own plans for safely managing collateral national security systems (confidential, secret, and top secret classifications).
Additionally, a similar audit last year found that departmental offices did not patch and update software to fix identified vulnerabilities in a timely or consistent manner. That complaint remains open and auditors said the practice of delaying installation of critical security patches has continued in fiscal year 2018.
The audit does not specify which Treasury systems had deficient protocols, but the department is one of the 19 US intelligence agencies and has several offices dedicated to producing, analyzing and pushing out intelligence around terrorism and financial crime. One of the components listed in the report, the Bureau of Engraving and Printing, prints and produces security documents for other departments and agencies.