A U.S. Department of Commerce Office of the Inspector General (OIG) report found that Commerce exposed sensitive data to unvetted foreign nationals through poor security program controls.
Foreign nationals – working outside the U.S. – could access and modify the Enterprise Web Services (EWS) system after their contract had already been terminated. Additionally, Commerce mishandled the response to unauthorized access by the foreign nationals and failed to account for sensitive data on its systems.
“Many of the problems we identified indicated that the Department had serious and pervasive issues that allowed exposure of sensitive data,” the report said. “Notably, sensitive global trade and foreign affairs data contained within the system was exposed to foreign entities around the time of international negotiations of the Trans-Pacific Partnership (TPP) and the North American Free Trade Agreement (NAFTA).”
The OIG made 12 recommendations to Commerce to which the department agreed. Among the recommendations, Commerce should conduct a review of contractor and subcontractor access to all department systems, ensure all access to department systems and data is vetted properly by Commerce’s Office of Security (OSY), and establish procedures that are clearer in revoking access to the department’s system and data.
“In response to our draft report, the Department indicated that it generally concurred with our findings and recommendations. The Department also provided technical comments from the [Office of the CIO] and an Office of General Counsel report of its management review of EWS,” the report said.