Office of Congressional Workplace Rights: Weaknesses in Cybersecurity Management and Oversight Need to Be Addressed
Fast Facts
The Office of Congressional Workplace Rights enforces fair employment and occupational safety and health rules in the legislative branch. Congress passed a 2018 law that, among other things, required the office to create a secure online system for discrimination and harassment claims.
We found weaknesses in the office’s project planning, system oversight, and cybersecurity risk management. For example, the office didn’t fully implement key oversight activities—such as establishing security and privacy requirements—for its systems operated by external entities.
Our 5 recommendations are to address this and other issues we identified.
The U.S. Capitol
Highlights
What GAO Found
The Office of Congressional Workplace Rights (OCWR) did not incorporate key cybersecurity management practices into the planning for its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project. While OCWR drafted a SOCRATES project schedule, the office did not finalize and use this schedule to manage cybersecurity activities, such as the time frames for conducting information technology (IT) system security assessments. In addition, the office did not document project cybersecurity risks, such as the office's reliance on external parties to implement responsibilities on its behalf. These weaknesses were due, in part, to a lack of policies and procedures for IT project planning. Until OCWR establishes and implements such policies and procedures, it will continue to have a limited ability to effectively manage and monitor the completion of cybersecurity activities for its IT projects.
OCWR did not fully implement important oversight activities for two selected systems—SOCRATES and the system used to document occupational safety and health violations known as the Facility Management Assistant (FMA)—operated by external entities (see table).
Extent to Which the Office of Congressional Workplace Rights (OCWR) Implemented Selected System Oversight Activities for Two Systems Operated by External Entities
|
|
Establish security and privacy requirements |
Plan assessment of security controls |
Conduct assessment |
Review assessment |
|
Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) |
◐ |
◐ |
◐ |
◐ |
|
Facility Management Assistant (FMA) |
◐ |
○ |
○ |
○ |
Key: ● Fully implemented ◐ Partially implemented ○ Not implemented
Source: GAO analysis of agency and external contractor data. | GAO-20-199
These shortfalls contributed to concerns with the deployment of SOCRATES in June 2019. For example, important security controls needed to ensure the confidentiality, integrity, and availability of the system were not fully tested before the system was deployed. In addition, penetration testing—where evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of the system—was not fully completed before deployment. GAO plans to issue a separate report with limited distribution on its assessment of security controls intended to, among other things, prevent successful attacks.
Although OCWR's strategic plan includes a goal of developing cybersecurity policies and procedures, the office had not fully established an effective approach for managing organization-wide cybersecurity risk. For example, OCWR designated an executive to oversee risk, but had not established the responsibilities of the official in the office's policies. Until OCWR improves its appoach to managing cybersecurity risks, its ability to make operational decisions that adequately address security risks will be hindered.
Why GAO Did This Study
OCWR is an independent, nonpartisan office that administers and enforces various provisions related to fair employment, and occupational safety and health within the legislative branch. To meet its mission, OCWR relies extensively on external parties, such as the Library of Congress, for IT support. In December 2018, Congress passed the Congressional Accountability Act of 1995 Reform Act (Reform Act) which, among other things, required OCWR to create a secure, online system to receive and keep track of claims related to employee rights and protections, such as sexual harassment and discrimination. To meet this requirement, OCWR initiated the SOCRATES project to upgrade its legacy claims management system.
The Reform Act included a provision for GAO to review OCWR's cybersecurity practices. This report examines the extent to which OCWR (1) incorporated key cybersecurity management activities into project planning for its claims management system upgrade, (2) performed oversight of security controls and mitigated risks for selected systems operated by external parties on its behalf and, (3) established an effective approach for managing organization-wide cybersecurity risk. To address these objectives, GAO compared OCWR IT policies, procedures, strategic plans, and documentation for two selected systems to leading IT project planning, system oversight, and cybersecurity management practices.
Recommendations
GAO is making five recommendations to OCWR to address weaknesses in cybersecurity management and oversight. OCWR did not state whether it agreed or disagreed with GAO's recommendations, but described actions planned or taken to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Congressional Workplace Rights | The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1) |
Open
In its comments on our February 2020 report, OCWR did not state whether it agreed or disagreed with our recommendation, but described initial actions planned to address the recommendation. Specifically, OCWR stated that it planned to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation. In January 2022, the agency hired an IT Manager, according to OCWR. In a May 2022 written response, OCWR stated that the agency uses the Library of Congress's processes for IT project planning, and that the IT Manager planned to propose to the Acting Executive Director by December 2022 how to integrate the Library's processes into OCWR's policies and procedures. In September 2023, OCWR finalized an IT security policy and agency officials told us that it reflected how key cybersecurity activities are to be incorporated into IT project planning. However, we found that the policy does not reflect how key cybersecurity activities are to be incorporated into IT project planning, including scheduling, requirements management, and risk management activities. We will continue to evaluate OCWR's progress in implementing this recommendation.
|
| Office of Congressional Workplace Rights | The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2) |
Open – Partially Addressed
In its comments on our February 2020 report, OCWR did not state whether it agreed or disagreed with our recommendation, but described actions planned to address the recommendation. Specifically, OCWR stated that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. In a May 2022 written response, OCWR officials described initial steps that the agency had taken to assess the security of its externally-operated system, such as engaging a vendor to complete cybersecurity penetration tests. In September 2023, OCWR finalized an IT security policy that included procedures for overseeing externally operated systems. Those procedures relate to (1) establishing security requirements, (2) planning for the assessment of security controls, (3) conducting the assessment, and (4) reviewing the security assessment results. However, the policy does not identify oversight procedures on establishing privacy requirements, including how they will be communicated to external entities or how privacy controls will be documented or selected. Further, the agency did not provide evidence demonstrating how it has implemented the procedures. We will continue to evaluate OCWR's progress in implementing this recommendation.
|
| Office of Congressional Workplace Rights | The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3) |
Closed – Implemented
In its comments on our February 2020 report, OCWR did not state whether it agreed or disagreed with our recommendation, but described initial actions planned to address the recommendation. In September 2023, OCWR finalized an IT security policy that established roles and responsibilities for a risk executive function. In particular, the updated policy made OCWR's IT Director responsible for serving as the risk executive to, among other things, provide agency-wide oversight of risk activities, facilitate collaboration among stakeholders, and manage risks. By establishing roles and responsibilities of the risk executive function, the agency has a better understanding of who is ultimately responsible for overseeing the cybersecurity risk activities of the organization and what those responsibilities include.
|
| Office of Congressional Workplace Rights | The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4) |
Open – Partially Addressed
In its comments on our February 2020 report, OCWR did not state whether it agreed or disagreed with our recommendation, but described initial actions planned to address the recommendation. In September 2023, OCWR finalized an IT security policy and agency officials told us that the policy articulates the organization's risk management strategy. We found that the policy included the risk assessment controls the agency planned to adhere to, including plans to conduct and review system risk assessments regularly. However, the IT security policy does not reflect a comprehensive cyber risk management strategy. In particular, the policy does not describe the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, risk response strategies, approaches for monitoring risk over time, and priorities for investing in risk management. In addition, OCWR has not provided evidence that it has implemented a comprehensive cybersecurity risk management strategy. We will continue to evaluate OCWR's progress in implementing this recommendation.
|
| Office of Congressional Workplace Rights | The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5) |
Open – Partially Addressed
In its comments on our February 2020 report, OCWR did not state whether it agreed or disagreed with our recommendation, but described initial actions planned to address the recommendation. In September 2023, OCWR finalized an IT security policy that included policies and procedures for managing cybersecurity risk for the agency's systems, including categorizing their impact level; selecting, implementing, and assessing security controls; authorizing systems to operate; and monitoring the efficacy of controls on an ongoing basis. Further, in January 2024, the agency provided evidence of implementing policies and procedures related to managing certain aspects of cybersecurity risk, including categorizing the impact level and authorizing the operation for the agency's information system used to document occupational safety and health violations. However, the agency did not provide evidence that it had implemented its policies and procedures for managing all aspects of cybersecurity risk for this information system. In particular, the agency did not demonstrate that it selected, implemented, assessed, and continuously monitored security controls for the system. Further, the agency did not provide evidence on the implementation of the policies and procedures for managing cyber risk for the agency's other systems. We will continue to monitor OCWR's progress in addressing this recommendation.
|