Despite its recent focus on plan and vendor cybersecurity, the Department of Labor’s own IT security has been determined to be insufficient. After an audit conducted by multinational professional services network KPMG reported more than a dozen problems with the DOL’s information security systems, the Department’s Inspector General released a report that stated that the DOL’s information security program is “not effective.” The report noted that the DOL failed to conduct annual security control assessments for 30 systems in 2021. Annual security control assessments make sure that threats and vulnerabilities—which can result in risks to the confidentiality, integrity, and availability of information systems and data—are not overlooked. Additionally, the DOL failed to institute a sufficient supply chain risk management program and failed to keep an accurate record of computer hardware.
In total, the report issued 16 findings and made 18 recommendations. The Department’s Chief Information Office did not refute the Inspector General report and instead provided corrective actions that the Inspector General considered responsive to the recommendations.