GAO: Congress’ ‘secure’ system for discrimination and harassment claims wasn’t that secure
The Office of Congressional Workplace Rights failed to establish cybersecurity and privacy requirements when planning its online system for discrimination and harassment claims by workers in the legislative branch, according to a new report.
A month after the Government Accountability Office found OCWR lacked an information technology strategic plan, the investigative arm of Congress also has found there was no timeline for security assessments of the Secure Online Claims Reporting and Tracking E-filing System (SOCRATES).
The Congressional Accountability Act of 1995 Reform Act, enacted in 2018, required the creation of SOCRATES in response to increased awareness of workplace sexual harassment. The system went live seven days late on June 26.
OCWR didn’t document cybersecurity risks to the project, including its reliance on external parties to operate both SOCRATES and the Facility Management Assistant (FMA) for reporting occupational safety and health violations, according to the GAO report released Tuesday.
“[I]mportant security controls needed to ensure the confidentiality, integrity and availability of the system were not fully tested before the system was deployed,” reads the report. “In addition, penetration testing — where evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of the system — was not fully completed before deployment.”
Another GAO report assessing OCWR security controls is forthcoming, although distribution will be limited because it details how to prevent successful attacks.
OCWR intends to develop cyber policies and procedures, but they’re currently half-baked, according to GAO. The agency designated a person to oversee cyber risk but never outlined the official’s responsibilities.
GAO recommended incorporating cyber activities into project planning, implementing oversight of SOCRATES and FMA, establishing the risk executive’s responsibilities, developing a cyber risk management strategy, and creating a timeline for mitigating that risk.