Audit: Weaknesses identified in ATF data security measures

Federal auditors discovered weaknesses in the Bureau of Alcohol, Tobacco, Firearms and Explosives data security protocols, according to a report released this week.

The Department of Justice’s Office of Inspector General found weaknesses in four of the agency’s seven domain areas in need of correcting to protect ATF information systems and data, according to the audit summary.

The audit measures ATF compliance with the Federal Information Security Modernization Act, implemented in 2014 to update the federal government’s cyber security policies and prevent hacking.

“FISMA assigns responsibilities to federal agencies, the National Institute of Standards and Technology (NIST), and OMB to strengthen federal information system security,” the audit says. “This includes directing NIST to develop standards and guidelines for ensuring the effectiveness of information security controls over information systems that support federal agencies’ operations and assets, and requiring the head of each agency to implement policies and procedures to cost effectively reduce risks to an acceptable level.”

The OIG withheld the entire audit from public viewing, but said it made five recommendations for ATF officials to improve the agency’s security program. The agency concurred with the identified weaknesses, according to the audit.

“Annually, agency Inspectors General are required to either perform an independent evaluation or contract an independent external auditor to perform an evaluation of the agency’s information security program and practices to ensure the effectiveness of the program and practices,” the audit summary says. “Each evaluation must include the testing the effectiveness of information security policies, procedures, and practices of a representative subset ofthe agency’s information systems; an assessment (based on the results of the testing) of compliance with FISMA; and separate representations, as
appropriate, regarding information security related to national security systems.”

A separate audit of the ATF’s Bomb, Arson and Tracking (BATS) security policies identified just one weakness out of seven control areas, according to the OIG. ATF officials concurred with the audit findings and the OIG’s recommendation to fix the issue.