Office of Congressional Workplace Rights: Weaknesses in Cybersecurity Management and Oversight Need to Be Addressed, Report to Congressional Committees [open pdf - 2MB]
From the Document: "OCWR [Office of Congressional Workplace Rights] is an independent, nonpartisan office that administers and enforces various provisions related to fair employment, and occupational safety and health within the legislative branch. To meet its mission, OCWR relies extensively on external parties, such as the Library of Congress, for IT [information technology] support. In December 2018, Congress passed the Congressional Accountability Act of 1995 Reform Act (Reform Act) which, among other things, required OCWR to create a secure, online system to receive and keep track of claims related to employee rights and protections, such as sexual harassment and discrimination. To meet this requirement, OCWR initiated the SOCRATES [Secure Online Claims Reporting and Tracking E-filing System] project to upgrade its legacy claims management system. The Reform Act included a provision for GAO [Government Accountability Office] to review OCWR's cybersecurity practices. This report examines the extent to which OCWR (1) incorporated key cybersecurity management activities into project planning for its claims management system upgrade, (2) performed oversight of security controls and mitigated risks for selected systems operated by external parties on its behalf and, (3) established an effective approach for managing organization-wide cybersecurity risk. To address these objectives, GAO compared OCWR IT policies, procedures, strategic plans, and documentation for two selected systems to leading IT project planning, system oversight, and cybersecurity management practices."
Government Accountability Office: http://www.gao.gov/