Audits of DHS, other agencies found access control problems, but didn’t address biometrics

May 28, 2018, 4:49 pm EDT | Anthony Kimery

The role of biometrics in a variety of critical US government agencies’ computer access controls which were found deficient during recent Government Accountability Office (GAO) audits were not examined or addressed, according to GAO officials involved in the respective audits.

This comes at a time when all US federal agencies must be able to identify, credential, monitor, and manage user access to information and information systems across their entire enterprise to ensure secure and efficient operations pursuant to the new White House directive, Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management, as Biometric Update previously reported.

Gregory Wilshusen, Director of Information Technology at GAO — Congress’ non-partisan investigative arm – told Biometric Update, “We did not review the use of biometrics by [the Department of Homeland Security (DHS)] in the body of work that was discussed in” the new GAO audit report, DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks.

Similarly, Dawn Simpson, Director, GAO Financial Management and Assurance, wouldn’t say whether GAO’s redacted public audit report, Management Report: Improvements Needed in the Bureau of the Fiscal Service’s Information System Controls, on the Department of the Treasury’s Bureau of the Fiscal Service looked at biometric access control problems in the context of the access control deficiencies GAO identified.

GAO reported in the sanitized audit report that it “identified new deficiencies in information system controls that, along with unresolved control deficiencies from prior audits collectively represent a significant deficiency.”

Simpson told Biometric Update only that, “Our public report doesn’t address the specific deficiencies,” and, “I can’t discuss the restricted version of the report since the content was restricted by [GAO].”

Repeated requests to the Department of the Treasury’s Bureau of the Fiscal Service about its use of biometrics went unanswered.

Biometric Update previously reported that Rebecca Gambler, Director, Homeland Security & Justice issues at GAO, said its audit report, Observations on Voting Equipment Use and Replacement, which was requested by lawmakers, also “did not consider the issue of biometrics as part of our work,” adding, “GAO’s prior work on elections issues also has not addressed biometrics, and thus, we don’t have background or insights to share in this area.”

In interviews with Biometric Update, federal cybersecurity officials, on background, expressed puzzlement over why biometrics weren’t addressed as part of problematic access controls to critical computer data and other information systems and enterprises throughout the federal government identified in GAO audit reports. They also pointed to various agencies’ Office of Inspector Generals’ audits which also found computer access control deficiencies that didn’t address biometrics.

When asked just how widespread the use of biometrics is within DHS and other federal agencies for critical database and enterprise access which DHS oversees, a senior DHS IT official said he could not “answer … that question” because it’s sensitive restricted information on a “need to know” bases, “which, as you know, is required beyond the appropriate clearance for information access.”

GAO stated in its audit report, DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector Networks, “Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets. Hence, the security of these systems and data is vital to public confidence and the nation’s safety, prosperity, and well-being. Ineffective security controls to protect these systems and data could have a significant impact on a broad array of government operations and assets.”

“Yet,” GAO found, “computer networks and systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown. These systems are often interconnected with other internal and external systems and networks, including the Internet, thereby increasing the number of avenues of attack and expanding their attack surface.”

GAO concluded that, “Over the last several years, we have made about 2,500 recommendations to agencies aimed at improving the security of federal systems and information. These recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems. Nevertheless, many agencies continue to be challenged in safeguarding their information systems and information, in part because they have not implemented many of these recommendations.”

During GAO’s audit of the Schedules of Federal Debt managed by the Department of the Treasury’s Bureau of the Fiscal Service for fiscal years 2017 and 2016, it “identified new deficiencies in information system controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in Fiscal Service’s internal control over financial reporting. Specifically, GAO identified eight new deficiencies in information system general controls over key Fiscal Service financial systems that are relevant to the Schedule of Federal Debt. One of these deficiencies related to security management, four related to access controls, and three related to configuration management.”

“These general control deficiencies, which collectively represent a significant deficiency, increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations,” the audit report stated.

Over at the Centers for Medicaid and Medicare Services (CMS), GAO said in its audit report, CMS Oversight of Medicare Beneficiary Data Security Needs Improvement, that it compared CMS’s Acceptable Risk Safeguards (ARS) with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to determine the extent to which the ARS aligns with the framework,” but that its “analysis showed that [while] the ARS generally aligns with the NIST Cybersecurity Framework,” it didn’t address “all of the controls noted as informative references to the framework.”

CMS, within the Department of Health and Human Services (HHS), is the agency responsible for overseeing the Medicare program, which covers nearly 58 million aged and disabled Americans, who represent approximately 18 percent of the total US population. Medicare beneficiary data – which includes PII (personally identifiable information), including biometrics — are created, stored, and used by a wide variety of entities, such as health care providers, insurance companies, financial institutions, academic researchers, and other federal/state agencies for a wide variety of purposes. These include researching and monitoring the efficacy of health care treatments, payments, and analyzing the cost of health care treatments. The extent of beneficiary data that is collected and maintained by CMS and its partners makes the data especially useful for these and other purposes.

“However,” GAO stated, “the distributed nature of Medicare systems and networks, along with the fact that so many entities external to CMS are connected to them, increases the potential that unauthorized individuals could gain access to these systems and the extensive amount of Medicare beneficiary data they contain.

GAO reported, “CMS addressed most, but not all, of the controls listed under access control. Examples of controls not addressed include the ability to provide additional identification and authentication measures under specific circumstances and to provide dynamic authentication for service providers. These controls are important to establish more avenues of identifying individuals or services that receive Medicare Beneficiary Data.”

CMS also addressed most, but not all, of the controls listed under data security, GAO found, saying,” The control not addressed was performing an analysis to identify ways that an unauthorized entity might access security domains. This is important to know if there are any ways to communicate in the environment the organization might not be aware of in order to address that vulnerability.”

As a matter of “background,” GAO reiterated in its audit report that, “Without proper safeguards, systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain or manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. We and federal inspectors general have reported extensively on information security deficiencies that place federal agencies at risk of disruption, fraud, or inappropriate disclosure of sensitive information. Accordingly, since 1997, we have designated federal information security as a government-wide high-risk area. This area was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of PII in 2015.”

The DHS IG also indicated in its redacted public report, Evaluation of DHS’ Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems, that evaluated DHS’s enterprise-wide security program for Top Secret/Sensitive Compartmented Information intelligence systems – which includes policies, procedures, and system security controls for the enterprise-wide intelligence system, “that DHS’ information security program for intelligence systems is not effective, based on the maturity model included in this year’s reporting instructions. Specifically, DHS’ continuous monitoring tools for its intelligence system are not interoperable.”

The IG said in its unclassified report that, “DHS has not documented procedures, established formal training, and instituted qualitative and quantitative measures for continuous monitoring of its intelligence systems. Lastly, the United States Secret Service (USSS) has not developed a process to ensure its employees and contractors complete the required annual security awareness training.”

The IG made three recommendations to DHS’s Office of Intelligence & Analysis (I&A) and one recommendation to USSS to address identified deficiencies in DHS’s information security program for intelligence systems.

I&A concurred with all three recommendations. The USSS concurred with one of the IG’s recommendations.