Healthcare.gov violates security standards

It’s a good thing that Healthcare.gov doesn’t work, because the system is also insecure:

As HealthCare.gov was being developed, crucial tests to ensure the security and privacy of customer information fell behind schedule.

CBS News analysis found that the deadline for final security plans slipped three times from May 6 to July 16. Security assessments to be finished June 7 slid to August 16 and then August 23. The final, required top-to-bottom security tests never got done.

The House Oversight Committee released an Obama administration memo that shows four days before the launch, the government took an unusual step. It granted itself a waiver to launch the website with “a level of uncertainty … deemed as a high (security) risk.”

Agency head Marilyn Tavenner accepted the risk and “mitigation” measures like frequent testing and a dedicated security team. But three other officials signed a statement saying that “does not reduce the risk” of launching October 1.

(Via Hot Air.) In fact, the waiver (as CBS describes it) isn’t even allowed under government rules:

Ultimately, the letter recommended that Tavenner issue an Authority to Operate for six months while security testing continued on the site, which she approved. “This is a temporary Authority to Operate,” Sebelius said as she examined the document during the hearing. . .

Yet Sebelius’s matter-of-fact description of the temporary authorization is a lot different from the 2012 memo from Zients on federal cyber-security.

Page 11 of the Zients memo includes the following section:

Does OMB recognize interim authority to operate for security authorizations?

No. The security authorization process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality government-wide. Introducing additional inconsistency to the government’s security program would be counter to FISMA’s goals.

(Via Instapundit.) Counter to FISMA’s (the Federal Information Security Management Act) goals perhaps, but essential to the Obama administration’s political goals, and you know which takes priority.

The system’s insecurity isn’t just theoretical either. They’re already finding exploitable security holes.

(Previous post.)

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s