The threat of another government shutdown in fiscal 2019 has come and gone, but lawmakers on both sides of the aisle aren’t giving up their push to secure a few more financial flexibilities for participants in the Thrift Savings Plan during future lapses in appropriations.

Sen. Bill Cassidy (R-La.) is the latest member of Congress to introduce legislation that would waive the typical penalty that TSP participants would usually incur if they take a hardship withdrawal before a certain age.

Cassidy’s bill essentially mimics language that the Federal Retirement Thrift Investment Board, the agency that administers the TSP, had written following 2017’s devastating hurricane season. The legislation would treat a government shutdown as a financial hardship and allow current federal employees under the age of 59-and-a-half to withdraw from their TSP accounts without incurring a 10 percent early withdrawal penalty tax.

With Cassidy’s bill, there are now five pieces of legislation that aim to accomplish this similar goal. The bills would also let TSP participants repay the hardship loans under certain deadlines and parameters.

The FRTIB is still working with congressional staffers to change the original legislative text to something the agency can implement, said Kim Weaver, director for external affairs.

Reps. Pete Olson (R-Texas), Don Beyer (D-Va.), Ed Perlmutter (D-Colo.) and Elaine Luria (D-Va.), along with Sens. Tim Kaine (D-Va.), Ron Wyden (D-Ore.), Patty Murray (D-Wash.) and Susan Collins (R-Maine), were among the members who had originally introduced or co-sponsored one of these bills.

“The bills are going to be amended as they move forward,” Weaver said at the board’s monthly meeting Monday. “I’m told by staff on both sides that they intend to get this type of legislation in permanent law. If there’s another government shutdown come Oct. 1, which would be the next opportunity, [we don’t want] this scramble we experienced in January.”

From Weaver’s perspective, there’s bipartisan, bicameral support for some sort of legislation in this Congress regardless of the timing of the next government shutdown, though she said it’s unclear which bill would be the most likely to move forward.

Meanwhile, the FRTIB is still noticing the impact of the 35-day government shutdown in other ways.

The FRTIB saw a 25 percent jump in hardship withdrawals in January. New loan requests, however,  at this point are stable.

The agency also saw a lower than usual increase in participation to the Federal Employee Retirement System (FERS) last month. The FERS participation rates went up just less than 1 percent in January, meaning that 90.3 percent of FERS employees deferred money to the Thrift Savings Plan that month.

“We’re attributing that to the furlough,” Tee Ramos, FRTIB’s director of participant service, said. “There are several organizations where we derive our numbers, and there were several organizations that didn’t have payroll for that month.”

Auditor finds TSP cybersecurity lacking

The TSP is still struggling with its cybersecurity posture and hasn’t fully developed and implemented an effective information security program, according to the most recent results of an independent Federal Information Security Modernization Act (FISMA) audit.

The FRTIB has been struggling to meet FISMA requirements since at least fiscal 2016, when the agency conducted its first-ever such audit. The agency suffered a cyber breach back in 2012, when hackers accessed personal information for 123,000 TSP participants through one of its contractors.

Using the FISMA maturity model, an independent auditor considered three out of eight domains as “defined.” The remaining five are still considered “ad-hoc,” meaning most FRTIB security policies and procedures aren’t formalized and still reactive in nature.

The FRTIB doesn’t have an inspector general and uses an independent consultant, Williams Adley in this case, to review the agency’s compliance.

Data protection and privacy, identity and access management and configuration management were among the three domains that moved up a notch on the FISMA model rating this past year, according to the Williams Adley audit.

“Many initiatives were in place during the year, but by the time our assessment had concluded, those initiatives were either not completed or they had just recently been completed and we weren’t able to assess the level of completion,” the auditors said at Monday’s board meeting.

Both the agency and the auditors were relatively confident the FRTIB’s cyber posture would, in fact, continue to improve in the coming years. The agency has had one permanent chief technology officer (CTO) on board for nearly a full year now, who’s leading the FRTIB’s FISMA response strategy.

The agency also found a deputy CTO and formed an enterprise risk management steering committee, which has a direct reporting line to FRTIB management and the executive director.

Williams Adley told the board it sees signs that more secure leadership, along with the FRTIB’s improvement strategy, demonstrate that the agency is thinking about cybersecurity in a different way.

Patrick Bevill, the FRTIB’s relatively new chief information security officer, said the agency would segment “cure activities” into 90-day, six month and one-year blocks for the eight FISMA domains. The goal is to bring all domains to the “consistently implemented” level by at least 2020.

Source