The Treasury Department Office of the Inspector General (OIG) reported that the agency’s cyber threat indicators in Calendar Year (CY) 2017 and CY2018 were “adequate and aligned with the provisions of CISA [the Cybersecurity Information Sharing Act of 2015]” in an audit released on Dec. 10.
“We concluded that Treasury’s sharing of cyber threat indicators and defensive measures and protecting PII [personally identifiable information] aligned with the provisions of CISA,” the report states. “Furthermore, Treasury complied with all Federal privacy and civil liberty requirements.”
The audit, conducted between February 2019 and October 2019, assessed for compliance with Section 107 of the Cybersecurity Information Sharing Act of 2015 through a review of Treasury Early Warning Indicators (TEWI) and Cyber Information Group (CIG) Circulars released to the private sector by the agency.
The Government Security Operations Center (GSOC) and the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) releasing these documents followed all applicable Cybersecurity Information Sharing Act of 2015 policies, procedures, and practices to protect sensitive information, the OIG determined.
Additionally, Treasury complied with Department of Homeland Security (DHS) procedures to alert the private sector of cyber threats and removed PII from its TEWIs and CIG Circulars. In this process, Treasury adhered to the proper measures to share pertinent cyber threat indicators in real time while still protecting classified information.