FB pixel

CISA, FLETC failed to protect law enforcement officers’ PII, other data

CISA, FLETC failed to protect law enforcement officers’ PII, other data
 

Two important arms of the U.S. Department of Homeland Security (DHS) failed to protect personally identifiable information (PII) and sensitive law enforcement training curricula, potentially putting more than 37,000 DHS and other federal law enforcement officers’ names, social security numbers, dates of births, genders, ranks, titles, and biometric information at risk to being compromised and exploited.

Also at risk are the PII of law enforcement officers and agents from state, local, tribal, campus, international, and 90 partner organizations which potentially could number in the hundreds of thousands.

The problems surfaced during an ongoing audit of “urgent cybersecurity issues” within DHS performed by the office of DHS’s Inspector General (IG), Joseph Cuffari.

Cuffari said in a July 17 Final Management Alert to the chief information officers (CIOs) of the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Law Enforcement Training Centers (FLETC) that during his office’s “ongoing audit of the Department of Homeland Security’s learning management system, [it] identified a significant risk to the operations, assets, and individuals” using CISA’s Federal Virtual Training Environment (FedVTE) and FLETC’s eFLETC online learning management system.

The IG’s alert advised both CISA and FLETC “to take immediate action to mitigate risks associated with using a high-risk contractor to supply their learning management systems.”

The contractor is not identified in the alert, although a government document obtained by Biometric Update identifies vendors “approved” to provide such licensed services. This document also makes clear that “all government data must be treated confidentially, using National Institute of Standards and Technology guidelines for the security and handling of sensitive but unclassified data,” as well as compliance with the Privacy Act of 1974 and the privacy provisions of the e-Government Act of 2002.

The IG said a DHS internal investigation had found that the contractor had exhibited “poor cybersecurity hygiene,” and that by having failed to take action to mitigate the cybersecurity problems, CISA and FLETC were putting sensitive personally identifiable information and sensitive law enforcement training information stored and processed by CISA and FLETC’s learning management systems “at risk of compromise.”

The problems began in August 2022 when DHS entered into an interagency agreement with the Office of Personnel Management (OPM) to use the unnamed contractor for a learning management system Software-as-a-Service (SaaS) solution to meet the enterprise training needs of DHS personnel and stakeholders. The contractor was responsible for the operation, management, and continuous monitoring of the system in accordance with security regulations and protocols.

Under OPM’s USALearning program, all U.S. government, state, and local municipalities are provided with training services, training systems, courseware development, virtual simulators, and other online learning tools and resources. USAL learning management system support provides Federal Risk and Authorization Management Program (FedRAMP) systems to over 60 large and small federal agencies with non-cloud and cloud-based applications to include but not limited to Platform as a Service (PaaS) and SaaS approaches to meet organizational requirements, as appropriate.

As an assisted acquisition provider, OPM is congressionally authorized to use its revolving fund for assisted acquisition support across all agencies to allow the USAL Program to leverage the government’s buying power, reducing overall costs to government customers.

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies throughout the U.S. government.

A year ago, DHS’ IG said it found that only seven months after DHS launched DHSLearning, the system “experienced multiple hard drive failures” resulting in “a service outage and loss of DHS data.”

“Specifically,” the IG said, “DHS’ learning management system went offline for six days,” and, “despite remote and on-site attempts, hardware resets, and installation of new replacement drives, the data could not be recovered because no system backups were being performed due to an incorrect configuration.”

Following that incident, DHS’ Chief Information Security Officer (CISO) launched an investigation which found that the unnamed contractor had engaged in sloppy cybersecurity, and had not “complied with FedRAMP monitoring requirements.”

DHS’s CISO concluded that the continued use of DHSLearning presented an unacceptable risk to DHS operations, assets, and individuals, and on June 23, 2023, issued a denial of the authorization to operate (ATO) and ordered all employees to stop using DHSLearning “because it could not rule out the possibility of a malicious insider or cyberattack.”

A month later, DHS’s CISO notified all component CISOs of his denial to continue operating and informed them of the results of the investigation because both CISA and FLETC use the same unnamed contractor to supply their learning management systems.

However, the same day DHS’s CISO issued the denial of authorization for DHSLearning, CISA’s own Chief Information Officer (CIO) rescinded the ATO for the FedVTE, and three days later signed a risk acceptance memorandum authorizing its continued use, even though the memo identified the overall risk to CISA’s operation as “high due to anomalies found during DHS’ investigation.”

DHS’s IG found that CISA’s CIO had recommended “accepting the risk to allow the learning management system to continue operating given its impact across the federal, state, local, and private industry mission space until CISA can develop a new capability, transition to another capability, or the FedRAMP provider brings the system to an acceptable level of compliance with DHS and CISA standards.”

“We found that CISA’s risk acceptance request did not include a valid justification, compensating controls, or a plan of action and milestones to remediate the identified control deficiencies,” the IG said, noting that “CISA’s CIO both authored and approved its risk acceptance request without any oversight or approval from the DHS CISO, as required.”

As of this month, the IG said, CISA has yet to develop a new capability, to transition to another, or taken any steps to ensure the unidentified contractor complies with DHS and CISA standards.

CISA is currently working to replace FedVTE with another “service solution to meet training needs,” but it isn’t expected to be operational until the end of September. In the meantime, CISA is working to “mitigate control deficiencies,” but that, too, isn’t expected to be completed until the end of December.

In September 2022, CISA’s 2023-2025 Strategic Plan had promised to “reduce risk and build resilience to cyber threats” across all government domains.

DHS’s IG further found that FLETC had continued to use eFLETC even after having been notified of the rescinded ATO and noted that FLETC’s original ATO for eFLETC issued on June 9, 2022, had certified that the system met the necessary security requirements, and that the ATO would only remain valid if the contractor maintained compliance with FedRAMP’s continuous monitoring requirements.

“Even though DHS’ investigation found noncompliance by [the contractor] with FedRAMP’s monitoring requirements, FLETC did not rescind its ATO or take any steps to mitigate these risks,” the IG declared. “Instead, one month after being notified of the investigation results, FLETC signed a 1-year, $1.8 million extension to continue using [the contractor] for eFLETC.”

The original June 2017 eFLETC Privacy Impact Assessment had also assured that any risk of exposure of PII to identity theft or mishandling would be mitigated “by normal security measures.”

Additionally, an October 2021 Request for Information issued by FLETC on developing the eFLETC online training system had also made clear that if and when a contractor was selected, that contractor would be required to ensure that the system was “free of elements that might be detrimental to the secure operation of the resource operating system,” which included:

  • Malicious code and malware;
  • Trojans, worms, logic bombs, and other computer viruses;
  • Backdoors;
  • Adware, Spy-ware, or web bugs that have the ability to track user behavior;
  • Code that permits functions that are beyond the actual publicized intent of application capability;
  • Software that will not function properly with the operating system configured securely; and
  • Code that permits functions that are beyond the actual publicized intent of application capability.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

A billion stolen passwords make passkeys look good, despite growing pains

In breaking news that should come as no surprise, your password isn’t good enough. And no, not even if you…

 

Trump puts brakes on Biden-era AI regulation; future uncertain

As was expected, on day one of being inaugurated, President Donald Trump repealed outgoing President Joe Biden’s Executive Order (EO)…

 

How AI fraudsters are capitalizing on the slow rollout of digital IDs

By Ofer Friedman, Chief Business Development Officer, AU10TIX As professional fraudsters ramp up their attacks, leveraging generative AI and randomization…

 

UK government reveals mDL pilot, Gov.uk digital wallet plans

A Gov.uk digital wallet and app will be introduced this year to ease access to pubic services for British residents,…

 

Yoti responds to Ofcom’s guidance on age checks for porn sites

While the age assurance sector has welcomed Ofcom’s newly published guidance on highly effective age assurance for adult content sites,…

 

Jumio, Innovatrics, Vouched and Regula advance identity verification use cases

Whether it’s in gaming, home stays or automotive sales, the need to establish trust is crucial. Effective digital identity verification…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events