MARK R. WARNER, — Waited States Senate on RULES AND ADMINISTRATION September 16,2019 Mark A. Morgan Acting Commissioner of U.S. Customs and Border Protection 1300 Pennsylvania Ave NW Washington, DC 20004 Dear Mr. Morgan, In 2014, a year before the OPM data breach that compromised the personal data of 20 million federal ‘employees, two separate federal contractor breaches exposed the personal data of 73,000 federal ‘employees.’ Three years before those incidents, in 2011, a government contractor exposed the data of 4.9 million military health care beneficiaries.” Last year it was reported that 5.6 percent of aerospace and defense contractors and 4.3 percent of technology contractors suffered at least one data breach since 2016. Federal healthcare and wellness contractors reported breaches at 8 percent during the same period.’ Despite the many examples of poor third party management and subcontractor information security practices, federal agencies continue to fail to ensure that contractors and subcontractors adequately ‘manage the sensitive information of the American people. Considering your position as the largest federal law enforcement ageney of the Department of Homeland Security, I am particularly alarmed by the eyberattack on one of your ageney’s subcontractors that allowed the theft of facial images betonging to thousands of travelers. It is my understanding that the contractor improperly transferred information from CPB to their own company database, which was breached by attackers.° The attack resulted in the removal of the facial images of at least 100,000 travelers.” According to another report, the breach resulted in the exposure of several gigabytes of data, including confidential agreements, budget spreadsheets, and internal photos.* While all of the stolen “GSA announces new requirement for contractors.” January 9, 2019. AFBA Newsroom. hip:/newsroom.afba.com/uniformed- setviees-news/psu-creaes-new-rules-for-eporting-povernment-contactor-datacbreaches! Miles, Donna, “Iricare investigates beneficiary data breach,” October 11 2011, US Amy Website, ‘ups: sw. army: snil/arcicle’6708 Vvicare investigates beneficiary data breach, 2 “Report finds contractors face significant security threats.” February 16, 2018. Washington Technology ‘nts: vashingtontechnology convarticles/2018/02/I6lconteactor-data-breach-report.aspx “Beyond Unele Sam: analyzing the security posure of US. government contactors and subcontractors,” February 16,2018, BiitSightInsighs, ‘nups:edn2 hubspot nevhubis277648/nsights/BitSight Insights Analyzing Secutty_Pederal_ Contractors pd?%"=15186277013. ‘S4deutm_campaign=Q117%20BitSight%20Insightséeutm_source=hs_automationdutm_medium=email&uim conten 60575255 ‘& hnsene=p2ANgtz-_090lHk3gpgNnQhxOINyQPmnlLIIMjQTPr6KSL.CU-fe6ydnLGAVy B= y]Q1Zuquzi9evjhinkS Il6_QooVomXin2mA& hsmi-60S75255 Fussell, Sidney. “This is exactly what privacy experts said would happen,” June 11, 2019, !hups:/www.theatlantc.comtechnology/archive/2019/06\travelers-images-stoleneatack-cbp/591403/ § Reichert, Cotrine. “US Customs and Border Protection says traveler images were taken in eyberattack,” June 12, 2019. Lhupss/www.cnet.conv/newsus-customs-and-border-protection-says-traveler-images-were-taken-in-subcontactor-eyber-attack! ® Whitaker, Zack. “CRP says traveler photos and license plate images stolen in data breach,” June 10,2919. hpsuitechcrunch.com/2019106/10/cbpedstacbreach’ * Harwell, Drew. "Hacked documents detail sensitive details of expanding border surveillance,” une 21, 2019, lps:/www.washingtonpostcom/technology/201910612 hacked-documents-reveal-sensitive-detils-expanding-border- surveillance’MARK , WARNER NANCE BANKING, HOUSING, AND United States Senate ee WASHINGTON, DC 20510-4608 InTELUGeNce information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number. Thave frequently pointed out the derisory state of third-party contractor and subcontractor information security practices and management in industry and across the government. It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive information secured, regardless of whether being handled by a first or a third-party. To better understand the state of your third-party management and contractor and subcontractor information security practices, especially regarding permanently identifiable biometric data, I request answers to the following questions: 1. What are your contractual requirements for security controls and for third-party contractor/subcontractor management of biometric data? 2. Do you require contractors and subcontractors to maintain full-disk encryption of their databases? 3. What identity and access management requirements do you place on contractors/subcontractors? 4, Do you require that your contractors/subcontractors ensure segregated accounts and credentials for each unique user? 3. What are your third-party conttactor/subcontractor security requirements for managing administrative accounts? 6. What are your eontractor/subcontractor configuration management requirements? What are your contractot/subcontractor vulnerability management requirements? What are your ccontractor/subcontractor data loss prevention and encryption requirements? 7. What are your contractor/subcontractor requirements for monitoring, auditing and logging capabilities? How long do you or your contractors or subcontractors, or sub-suppliers retain your logging data? What type of data do you provide to your contractors? 8. How do you evaluate the information security systems and data retention policies of your contractors and sub-suppliers? | would appreciate receiving your answers within two weeks. Please contact [email protected]. Sincerely, Mok R Mine, Mark Warner United States Senator