TSP Gets Lowest Possible Score on Information Security Audit

The agency that administers the federal government’s 401(k)-style retirement program received the lowest of five possible scores on a recent audit to determine its compliance with federal information security standards.

Auditors with the consulting firm Williams Adley examined the information security program of the Federal Retirement Thrift Investment Board, which administers the Thrift Savings Plan, under the Federal Information Security Modernization Act. In the first annual study of FRTIB’s policies, the agency scored a Level 1 in accordance with the law’s fiscal 2017 inspector general reporting metrics, out of a possible five.

Although FRTIB had started a number of initiatives to upgrade its IT infrastructure and cybersecurity in recent years, auditors found those policies to remain primarily “ad hoc” in nature. An effective information security program is scored at Level 4, which includes collection of “quantitative and qualitative measures on the effectiveness of policies, procedures and strategy” at an agency and assessment for what changes are necessary.

“FRTIB has not fully developed and implemented an effective organization-wide information security program,” the auditors wrote. “Williams Adley identified a number of control deficiencies related to people, process and technology across all seven IG FISMA metric domains.”

But officials at a FRTIB board meeting Monday made one caveat about the poor showing: in order for a policy to be considered toward improving an agency’s FISMA score, it must be in place for an entire fiscal year. As a result, any changes to the agency’s information security policies made after Sept. 30, 2016, would not have been considered in the audit.

“Any change needs to be operating for the entire year in order to show up in the score,” said TSP Executive Director Ravindra Deo.

Auditors listed a number of factors that led to the “Ad Hoc” scoring of the agency’s information security program, including a “control-driven” or reactionary information security process, inadequately defined responsibilities and “inappropriate” oversight between FRTIB and its contractors, as well as efforts that focus on symptoms of problems, rather than root causes.

Upper management turnover also played a role in stalling the agency’s progress. Last April, then-Executive Director Greg Long stepped down after 10 years at the helm of the TSP, and in August, Renita Anderson left the agency after just six months as its chief technology officer.

The audit recommended that FRTIB “clearly define an organization-wide risk-based information security program,” as well as reevaluate its governance structure to ensure better oversight and monitoring of information security issues.

Suzanne Tosini, chief operating officer and acting chief technology officer for the TSP, said the agency is moving forward with plans to implement Williams Adley’s recommendations, and it will strengthen its contractor oversight policies. She provided a roadmap that projects the agency will reach a Level 3 score—“Consistently Implemented”—in fiscal 2019, which would be reflected in the fiscal 2020 audit.

“It’s not good enough to just do these things internally at FRTIB,” Tosini said. “We need to apply it across the whole ecosystem, including our contractors.”

Deo said that process improvements designed at improving the agency’s compliance with FISMA will naturally improve FRTIB’s performance in other audits and external benchmarks.

“What we’re seeing here [across audits] is different metrics measuring the same root problem,” he said. “Once we fix the problem holistically, we’ll see it reflected elsewhere.”