The Thrift Savings Plan’s 5.2 million participants will eventually see tighter security measures on their online TSP accounts.

The Federal Retirement Thrift Investment Board, the agency that administers the TSP, is implementing two-factor authentication for participants who access their online accounts.

The agency hopes to have it in place by the end of the fiscal year, TSP spokesman David Toro said in an email to Federal News Network.

The project is a priority for the FRTIB, because participants have been asking for two-factor authentication and tighter security controls on their online TSP accounts, Toro added.


Currently, participants enter a user ID and password to access their accounts online. The FRTIB in recent years has added a feature that allows participants to reset their account passwords online. Before, participants could only do this over the phone.

Like nearly all agencies, cybersecurity has been a tough barrier to cross for the FRTIB. Hackers accessed personal information for 123,000 TSP participants through one of the board’s contractors in 2012.

Adding two-factor authentication may be particularly important to TSP participants, especially given that many of them may have been impacted by two significantly larger data breaches at the Office of Personnel Management back in 2015.

The two-factor authentication project also is part of the FRTIB’s ongoing efforts to strengthen the plan’s security and address the agency’s growing number of audit recommendations.

By the TSP’s count, the agency had 341 open audit recommendations at the end of fiscal 2018. Two of the agency’s open recommendations date back to 2007, and 150 are unmet from 2016.

As a small agency, the FRTIB doesn’t have an inspector general to offer up recommendations. The Labor Department and independent consulting firms evaluate the agency’s financial status, Federal Information Security Management Act (FISMA) compliance and fund performance, among other areas.

FRTIB Executive Director Ravi Deo said the agency is striving to close roughly 30 audit recommendations each quarter, with the goal of closing a total of 120 by the end of this fiscal year.

To meet those goals, Deo described an aggressive plan to close audit recommendations at a faster pace than previous years.

FRTIB’s Office of Enterprise Risk Management and Office of Technology Services have reviewed each of 341 open recommendations and have assigned them a score of critical, high, moderate and low. Some newer recommendations are still in planning or are in progress, Deo said at the FRTIB board meeting earlier this month.

Once FRTIB receives and reviews an audit and its findings, the agency will assign a risk ranking to each one. For findings that are rated “critical” or “high,” the FRTIB will determine what it can do immediately to remediate it, Deo said. The agency will develop a correction active plan for the other findings with lower risk rankings.

Deo also pointed to several signs that security is already improving at the FRTIB.

The Homeland Security Department hasn’t found any FRTIB vulnerabilities on its National Cybersecurity Assessment and Technical Services testing within the past six months, Deo said.

FRTIB hires new CISO, compliance branch chief

The agency also hired a new chief information security officer in June and an audit and compliance branch chief in September.

The FRTIB cited its plans to implement two-factor authentication for TSP participants as another part of its audit finding remediation and security enhancement plans.

A formalized insider threat program is also on FRTIB’s to-do list. The agency doesn’t have an insider threat program to date, the Labor Department’s Employee Benefits Security Administration said in a March audit report, which the FRTIB made public earlier this month.

The agency hasn’t implemented controls to monitor, prevent and detect insider threats to the TSP, the audit said.

“The agency had not developed and implemented a process to establish and continually evaluate insider threat controls needed to identify and monitor high risk physical and logical areas and infrastructure components, and the agency had not assessed the need for risk-specific insider threat training,” the audit reads. “These weaknesses existed because the agency was in the formative stages of developing an insider threat program.

The FRTIB is planning to implement an insider threat program by August 2019, Deo said in the agency’s response to the audit findings.