Fast Facts

The Office of Congressional Workplace Rights enforces fair employment and occupational safety and health rules in the legislative branch. Congress passed a 2018 law that, among other things, required the office to create a secure online system for discrimination and harassment claims.

We found weaknesses in the office’s project planning, system oversight, and cybersecurity risk management. For example, the office didn’t fully implement key oversight activities—such as establishing security and privacy requirements—for its systems operated by external entities.

Our 5 recommendations are to address this and other issues we identified.

The U.S. Capitol

The U.S. Capitol

Skip to Highlights
Highlights

What GAO Found

The Office of Congressional Workplace Rights (OCWR) did not incorporate key cybersecurity management practices into the planning for its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project. While OCWR drafted a SOCRATES project schedule, the office did not finalize and use this schedule to manage cybersecurity activities, such as the time frames for conducting information technology (IT) system security assessments. In addition, the office did not document project cybersecurity risks, such as the office's reliance on external parties to implement responsibilities on its behalf. These weaknesses were due, in part, to a lack of policies and procedures for IT project planning. Until OCWR establishes and implements such policies and procedures, it will continue to have a limited ability to effectively manage and monitor the completion of cybersecurity activities for its IT projects.

OCWR did not fully implement important oversight activities for two selected systems—SOCRATES and the system used to document occupational safety and health violations known as the Facility Management Assistant (FMA)—operated by external entities (see table).

Extent to Which the Office of Congressional Workplace Rights (OCWR) Implemented Selected System Oversight Activities for Two Systems Operated by External Entities

 

Establish security and privacy requirements

Plan assessment of security controls

Conduct assessment

Review assessment

Secure Online Claims Reporting and Tracking E-filing System (SOCRATES)

Facility Management Assistant (FMA)

Key: ● Fully implemented ◐ Partially implemented Not implemented

Source: GAO analysis of agency and external contractor data. | GAO-20-199

These shortfalls contributed to concerns with the deployment of SOCRATES in June 2019. For example, important security controls needed to ensure the confidentiality, integrity, and availability of the system were not fully tested before the system was deployed. In addition, penetration testing—where evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of the system—was not fully completed before deployment. GAO plans to issue a separate report with limited distribution on its assessment of security controls intended to, among other things, prevent successful attacks.

Although OCWR's strategic plan includes a goal of developing cybersecurity policies and procedures, the office had not fully established an effective approach for managing organization-wide cybersecurity risk. For example, OCWR designated an executive to oversee risk, but had not established the responsibilities of the official in the office's policies. Until OCWR improves its appoach to managing cybersecurity risks, its ability to make operational decisions that adequately address security risks will be hindered.

Why GAO Did This Study

OCWR is an independent, nonpartisan office that administers and enforces various provisions related to fair employment, and occupational safety and health within the legislative branch. To meet its mission, OCWR relies extensively on external parties, such as the Library of Congress, for IT support. In December 2018, Congress passed the Congressional Accountability Act of 1995 Reform Act (Reform Act) which, among other things, required OCWR to create a secure, online system to receive and keep track of claims related to employee rights and protections, such as sexual harassment and discrimination. To meet this requirement, OCWR initiated the SOCRATES project to upgrade its legacy claims management system.

The Reform Act included a provision for GAO to review OCWR's cybersecurity practices. This report examines the extent to which OCWR (1) incorporated key cybersecurity management activities into project planning for its claims management system upgrade, (2) performed oversight of security controls and mitigated risks for selected systems operated by external parties on its behalf and, (3) established an effective approach for managing organization-wide cybersecurity risk. To address these objectives, GAO compared OCWR IT policies, procedures, strategic plans, and documentation for two selected systems to leading IT project planning, system oversight, and cybersecurity management practices.

Skip to Recommendations

Recommendations

GAO is making five recommendations to OCWR to address weaknesses in cybersecurity management and oversight. OCWR did not state whether it agreed or disagreed with GAO's recommendations, but described actions planned or taken to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Other The Executive Director should ensure the development and implementation of policies and procedures for incorporating key cybersecurity activities into IT project planning, including scheduling, requirements management, and risk management. (Recommendation 1)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the development and implementation of oversight procedures for each externally-operated system that include (1) establishing security and privacy requirements, (2) planning the assessment of security controls, (3) conducting the assessment, and, (4) reviewing the assessment. (Recommendation 2)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the establishment of roles and responsibilities for a risk executive function. (Recommendation 3)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure the development and implementation of a cybersecurity risk management strategy. (Recommendation 4)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Other The Executive Director should ensure commitment to a time frame for developing and implementing policies and procedures for managing cybersecurity risk. (Recommendation 5)
Open

Recommendation status is Open.

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report