Senate appropriators release funding bills with cyber money

Senate appropriators on Monday chided the Treasury Department and IRS for letting cybersecurity vulnerabilities persist in mission-critical systems. The admonition came in the detailed breakdown of the fiscal year 2018 funding bill for the Treasury Department, Office of Personnel Management, the president’s staff and other miscellaneous agencies.

To address the shortcomings, the Senate Appropriations Committee recommended giving Treasury $27.3 million for its department-wide cyber upgrade fund. But that figure is a significant decrease from the $47.7 million appropriated in the 2017 fiscal year. The panel also ordered Treasury’s chief information officer to personally review all requests to use money from the fund. Lawmakers also encouraged the agency’s internal watchdog to “conduct oversight work on the potential vulnerability of Treasury’s networks.”

The IRS fared slightly better than Treasury as a whole on the cyber front. The appropriations bill recommends funding its operations support division at $3.69 billion — a $50 million increase over the 2017 figure — “to invest in cybersecurity.” But lawmakers also directed the IRS to submit regular reports to Congress on its planned IT upgrades.

Elsewhere, the Senate panel recommended a slight dip in funding for the White House initiative that tracks agencies’ IT improvements. In the 2017 fiscal year, the Information Technology Oversight and Reform program received $27 million. The new bill would allocate $25 million for its efforts to, among other things, “protect IT assets and information by improving oversight of federal cybersecurity practices.”

Separately, the bill funds OPM at $261 million, a number that alarmed Sen. Patrick Leahy, the committee’s top Democrat. “This level funds OPM’s IT modernization at substantially less than requested levels,” he said in a statement, “delaying progress on a critically important initiative in the wake of OPM data breaches.” In its explanatory statement, the committee urged OPM to “take the steps necessary to complete outstanding GAO recommendations to improve information security.”

Finally, lawmakers highlighted “the importance of the role of the federal CIO in protecting federal assets and information and strengthening the federal government’s overall cybersecurity infrastructure.” Ten months into his administration, President Donald Trump still has not nominated someone for that post.

HAPPY TUESDAY and welcome to Morning Cybersecurity! More good headline writing: When you can, include the phrase “interstellar space cigar.” Send your thoughts, feedback and especially tips to and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.

PROGRAMMING NOTE: Morning Cybersecurity will not publish from Nov. 23-Nov. 26. Our next Morning Cybersecurity newsletter will publish on Nov. 27.

A TRIO OF OPM CYBER REPORTS A pair of major IT systems at OPM failed to take into account all known cyber weaknesses, according to inspector general reports released Monday. But the two systems had different degrees of cyber shortcomings. The watchdog found relatively little else to criticize it its audit of the Consolidated Business Information System, a financial management IT system at OPM. Conversely, the IG was harder on the Benefits Financial Management System’s Federal Financial System, which is used to track financial transactions at the agency, noting that it needs to improve its continuous monitoring of its security controls.

A third IG report released Monday found a number of faults with how the OPM implemented Microsoft’s SharePoint program, adopted in fiscal 2017, including that it doesn’t have a process in place to test security patches or audit its system’s security settings.

STOP COASTING AND GUARD YOUR IT — The U.S. Coast Guard’s oversight of its IT spending decisions desperately needs improvement, according to a new watchdog report. The agency spent approximately $1.8 billion on IT over the past three fiscal years, but “it does not know if almost 400 information systems are receiving proper acquisition oversight,” the Office of the Department of Homeland Security Inspector General declared.

Continue reading…