IG Report: USAID Must Enhance Cybersecurity of Personally Identifiable Information

The U.S. Agency for International Development has been asked by its inspector general to improve its ways of handling personally identifiable information.

In an audit published earlier this month, the IG identified various failures, including the reliance of USAID on outdated data loss procedures and insufficient role-based privacy training.

The oversight body also took note of the agency’s retention of social security numbers and its failure to implement controls in third-party websites, FedScoop reported.

The IG report also found that some USAID staffers tasked with handling sensitive personal information have not completed requisite training.

According to a 2007 guidance from the Office of Management and Budget, federal agencies should create a plan to eliminate the unnecessary collection and use of social security numbers. The guidance also requires agencies to provide yearly updates on the progress of those plans.

USAID’s Office of the Chief Information Officer is responsible for the organization’s privacy program. The office is tasked with managing the privacy-related risks at USAID.

To enhance how USAID deals with personally identifiable information, the IG report issued recommendations, including the CIO developing and using tools designed for the periodic testing of data prevention measures. The IG also recommended updating USAID’s SSN storage reduction plan.

Additionally, the IG suggested that the director of web management at the agency’s Bureau of Legislative and Public Affairs make a complete inventory of all third-party websites used by USAID.

The USAID IG published its report three months after the agency, led by Samantha Power, encountered a cybersecurity attack when hackers from Russia accessed the organization’s Constant Contact email marketing service account.

The cybersecurity breach was perpetrated by Nobelium, which conducted an intelligence-gathering phishing campaign that targeted 3,000 email accounts at more than 150 organizations.

The affected groups include other U.S. federal agencies, think tanks, government contractors and nongovernmental organizations. 

Microsoft revealed the incident in late May, prompting USAID to notify agencies, including the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency’s Computer Emergency Readiness Team.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now