‘Significant deficiency’ risks security of sensitive federal debt data

The agency responsible for managing the $26.9 trillion federal debt needs to improve its information system controls or risk the security of sensitive financial data, according to the Government Accountability Office.

While the Bureau of the Fiscal Service addressed five previous recommendations, 16 related to security management, access controls and configuration management deficiencies remain unresolved — on top of eight new ones in areas like segregation of duties, GAO found in its annual audit.

Details on the deficiencies were deemed “sensitive information” by BFS and not publicly disclosed, but the agency said it’s drafting a comprehensive audit remediation plan.

“These new and continuing information system control deficiencies, which collectively represent a significant deficiency, increase the risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations,” reads GAO’s public report.

BFS managed to maintain “effective internal control” of federal debt reporting by strengthening access and monitoring controls around data sets that can only be altered with its mainframe change-management tool, reads the report. The agency also improved its monitoring of compliance with baseline security requirements.

But GAO found mainframe security controls weren’t used in accordance with the concept of least privilege and mainframe security architecture documents needed improvement.

Security and configuration management controls remain inadequate and responsibilities unclear, with one person sometimes in charge of activities better split between two or more people or units to catch errors and suspicious activity, according to the report.

The head of BFS has 180 days to formally respond to the report with actions taken or planned.