The Treasury Department received mixed results on its fiscal year 2019 FISMA audit, with few weak spots identified but still falling below the level of effective, according to the audit released October 25 by the department’s inspector general.
With six component agencies included in the audit and 12 components across the department making up a fragmented IT environment, the audit called out specific weaknesses at certain agencies rather than assessing the department’s systems as a whole. In total, the department scored a Level 3 on the audit, with Level 3 maturity across seven of the eight areas of the FISMA maturity model – falling below the Level 4 threshold for effectiveness set by the Department of Homeland Security.
The component that came under the most fire was the United States Mint, which had weaknesses in three FISMA domains. The agency did not establish a privacy program with defined mechanisms and full documentation. Another area flagged was the Mint’s oversight of personnel access to systems, as some users did not sign the required rules of behavior or complete security awareness training in a timely manner. The Mint also did not implement specialized security training requirements, with roughly 20 percent of employees not completing their IT security training.
“Mint does not have effective mechanisms in place to ensure the timely completion of role-based specialized IT security training,” the audit states.
Along with the Mint, the Bureau of the Fiscal Service and the department’s central offices struggled with access management and data encryption controls. The Fiscal Service lacked documentation on encryption of data in transit, while departmental offices didn’t conduct semi-annual user access reviews for privileged users.
The audit highlights weaknesses for the configuration management domain at the Fiscal Service and the Bureau of Engraving and Printing (BEP), raising concerns over the configuration management at BEP and documentation at the Fiscal Service. BEP noted that it did not update and approve new baseline configuration standards due to competing priorities, while the Fiscal Service said that a new software tool and competing priorities kept the agency from creating baseline documentation.
The audit made 14 recommendations to the department, all of which Treasury officials agreed to implement.