Office of Congressional Workplace Rights:

Weaknesses in Cybersecurity Management and Oversight Need to Be Addressed

GAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Office of Congressional Workplace Rights enforces fair employment and occupational safety and health rules in the legislative branch. Congress passed a 2018 law that, among other things, required the office to create a secure online system for discrimination and harassment claims.

We found weaknesses in the office’s project planning, system oversight, and cybersecurity risk management. For example, the office didn’t fully implement key oversight activities—such as establishing security and privacy requirements—for its systems operated by external entities.

Our 5 recommendations are to address this and other issues we identified.

The U.S. Capitol

The U.S. Capitol

Additional Materials:

Contact:

Nick Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Office of Congressional Workplace Rights (OCWR) did not incorporate key cybersecurity management practices into the planning for its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project. While OCWR drafted a SOCRATES project schedule, the office did not finalize and use this schedule to manage cybersecurity activities, such as the time frames for conducting information technology (IT) system security assessments. In addition, the office did not document project cybersecurity risks, such as the office's reliance on external parties to implement responsibilities on its behalf. These weaknesses were due, in part, to a lack of policies and procedures for IT project planning. Until OCWR establishes and implements such policies and procedures, it will continue to have a limited ability to effectively manage and monitor the completion of cybersecurity activities for its IT projects.

OCWR did not fully implement important oversight activities for two selected systems—SOCRATES and the system used to document occupational safety and health violations known as the Facility Management Assistant (FMA)—operated by external entities (see table).

Extent to Which the Office of Congressional Workplace Rights (OCWR) Implemented Selected System Oversight Activities for Two Systems Operated by External Entities

 

Establish security and privacy requirements

Plan assessment of security controls

Conduct assessment

Review assessment

Secure Online Claims Reporting and Tracking E-filing System (SOCRATES)

Facility Management Assistant (FMA)

Key: ● Fully implemented ◐ Partially implemented Not implemented

Source: GAO analysis of agency and external contractor data. | GAO-20-199

These shortfalls contributed to concerns with the deployment of SOCRATES in June 2019. For example, important security controls needed to ensure the confidentiality, integrity, and availability of the system were not fully tested before the system was deployed. In addition, penetration testing—where evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of the system—was not fully completed before deployment. GAO plans to issue a separate report with limited distribution on its assessment of security controls intended to, among other things, prevent successful attacks.

Although OCWR's strategic plan includes a goal of developing cybersecurity policies and procedures, the office had not fully established an effective approach for managing organization-wide cybersecurity risk. For example, OCWR designated an executive to oversee risk, but had not established the responsibilities of the official in the office's policies. Until OCWR improves its appoach to managing cybersecurity risks, its ability to make operational decisions that adequately address security risks will be hindered.

Why GAO Did This Study

OCWR is an independent, nonpartisan office that administers and enforces various provisions related to fair employment, and occupational safety and health within the legislative branch. To meet its mission, OCWR relies extensively on external parties, such as the Library of Congress, for IT support. In December 2018, Congress passed the Congressional Accountability Act of 1995 Reform Act (Reform Act) which, among other things, required OCWR to create a secure, online system to receive and keep track of claims related to employee rights and protections, such as sexual harassment and discrimination. To meet this requirement, OCWR initiated the SOCRATES project to upgrade its legacy claims management system.

The Reform Act included a provision for GAO to review OCWR's cybersecurity practices. This report examines the extent to which OCWR (1) incorporated key cybersecurity management activities into project planning for its claims management system upgrade, (2) performed oversight of security controls and mitigated risks for selected systems operated by external parties on its behalf and, (3) established an effective approach for managing organization-wide cybersecurity risk. To address these objectives, GAO compared OCWR IT policies, procedures, strategic plans, and documentation for two selected systems to leading IT project planning, system oversight, and cybersecurity management practices.

What GAO Recommends

GAO is making five recommendations to OCWR to address weaknesses in cybersecurity management and oversight. OCWR did not state whether it agreed or disagreed with GAO's recommendations, but described actions planned or taken to address them.

For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: In January 2020, OCWR noted that it was in the process of revising its IT systems project planning to ensure the development and implementation of policies and procedure incorporating key cybersecurity activities. The agency also stated that it plans to hire an IT Security Project Manager in order to acquire the necessary cybersecurity expertise needed to implement this recommendation and to ensure that sufficient time and resources can be dedicated to the development and implementation of these policies and procedures. We will continue to monitor OCWR's progress in addressing this recommendation.

    Recommendation: The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)

    Agency Affected: Office of Congressional Workplace Rights

  2. Status: Open

    Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing oversight procedures for each externally-operated system. We will continue to monitor OCWR's progress in addressing this recommendation.

    Recommendation: The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)

    Agency Affected: Office of Congressional Workplace Rights

  3. Status: Open

    Comments: In January 2020, OCWR noted that it had expanded the office's IT Director's role to formally include the functions of an IT Risk Executive and was in the process of establishing the roles and responsibilities. We will continue to monitor OCWR's progress in addressing this recommendation.

    Recommendation: The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)

    Agency Affected: Office of Congressional Workplace Rights

  4. Status: Open

    Comments: In January 2020, OCWR noted that it was beginning to plan for developing and implementing a cybersecurity risk management strategy. We will continue to monitor OCWR's progress in addressing this recommendation.

    Recommendation: The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)

    Agency Affected: Office of Congressional Workplace Rights

  5. Status: Open

    Comments: In January 2020, OCWR noted that, once the position of IT Security Project Manager is filled and the IT Risk Executive functions are formalized, the agency is planning to commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. We will continue to monitor OCWR's progress in addressing this recommendation

    Recommendation: The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)

    Agency Affected: Office of Congressional Workplace Rights

 

Explore the full database of GAO's Open Recommendations »

Oct 15, 2020

Oct 9, 2020

Sep 22, 2020

Sep 21, 2020

Sep 17, 2020

Sep 16, 2020

Aug 18, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Looking for more? Browse all our products here