Senators Tom Carper (D-DE) and Ron Johnson (R-WI) sent a letter late last week to the chairman of the Federal Retirement Thrift Investment Board (FRTIB), the outfit that runs the Thrift Savings Plan, expressing concerns about potential cybersecurity vulnerabilities within the TSP.
The letter noted that recent reports have suggested that there are weaknesses in the FRTIB’s networks and said that it is essential that the FRTIB safeguard the personal information and accounts of federal employees who invest in the TSP.
The letter posed several questions to the FRTIB chairman to be answered to ensure that necessary actions are being taken to ensure proper cybersecurity measures are in place for the TSP.
A copy of the letter is included below.
The Honorable Michael Kennedy
Federal Retirement Thrift Investment Board
77 K Street, Northeast, Suite 1000
Washington, D.C. 20002
Dear Chairman Kennedy:
We write to you today with concerns about the network defenses of the Thrift Savings Plan (TSP) and other systems run by the Federal Retirement Thrift Investment Board (“the Board”). As the agency charged with protecting the primary retirement plan for millions of current and former Federal employees and Uniformed Service members, it is essential that the Board take the necessary actions to better secure the information systems that house personal and financial information of so many Americans.
As you know, recent reports suggest that the Board may have significant weaknesses in its networks. According to Federal auditors, the Board has failed to fix security flaws identified for years. One government official stated that without the necessary security updates, the Board “will not be able to prevent…unauthorized disclosure of the systems and data.” A data breach at the Board “could potentially lead to not just personal data access, but also loans and withdrawals from enrollees[’] accounts.”
The auditors also expressed frustration about their ability to access to the Board’s networks in a timely manner to conduct its audit. The Department of Labor Employee Benefits Security Administration is required by law to conduct fiduciary compliance audits of the TSP, which may include assessing the confidentiality, integrity, and availability of sensitive information. Independent assessment is an essential part of any organization’s cyber risk management program. We urge you to allow the auditors to conduct the necessary penetration testing so that you may know where any potential vulnerabilities might exist before those who wish to steal our information do.
Finally, we are also aware that in 2014 the Board did not submit its security compliance data to the Office of Management and Budget (OMB) as required under the Federal Information Security Management Act (FISMA). Reporting to OMB and to Congress provides transparency and is a primary mechanism of oversight under the FISMA framework. Going forward, I expect that you will make every effort to meet your obligations under FISMA.
These new findings are particularly troubling given the major data breach in 2011 which exposed account information for 123,000 TSP participants to malicious actors. We cannot let another breach happen. We request that the Board provide a staff-level briefing as soon as possible. In addition, I request that you provide answers to the following questions:
- Has your agency undergone any assessments, audits, or independent reviews of its cybersecurity posture, including the assessments required under FISMA? If so, please include any reports associated with those assessments, audits, and reviews with your response.
- What are your plans to work with auditors at the Department of Labor to ensure the Board is building an effective and robust security program?
- Why didn’t the Board comply with the reporting requirements under FISMA?
- How do you plan to work with OMB to come into compliance with FISMA?
- How does the Board work with the Department of Homeland Security to take advantage of its resources, including the Continuous Diagnostics and Mitigation program, the protections of the EINSTEIN program, and services at the United States Computer Emergency Readiness Team? What other programs and services has the Board utilized to assess and improve its information security, such as those offered by other Federal agencies or private sector firms, if any?.
The Committee on Homeland Security and Governmental Affairs is the chief investigative committee of the United States Senate. Rule XXV of the Standing Rules of the Senate affords the Committee jurisdiction over the “Federal Civil Service . . . Government information . . . [and the] Status of officers and employees of the United States, including their classification, compensation, and benefits,” and authorizes the Committee to investigate “the efficiency, economy, and effectiveness of all agencies and departments of the Government.” Additionally, S. Res. 73 (114th Congress) authorizes the Committee to examine “the efficiency and economy of all branches and functions of the Government with particular references to the effectiveness of present national security methods, staffing, and processes as tested against the requirements imposed by the rapidly mounting complexity of national security problems.”
Thank you again for your leadership and service to our country. We look forward to hearing from you, and working with you on these important issues.
Chairman Ron Johnson
Ranking Member Tom Carper