OFCCP Week In Review, authored by John C. Fox, Candee J. Chambers, and Cynthia L. HackerottThe DE OFCCP Week in Review (WIR) is a simple, fast and direct summary of relevant happenings in the OFCCP regulatory environment, authored by experts John C. Fox, Candee J. Chambers and Cynthia L. Hackerott. In today’s edition, they discuss:

Tuesday, November 21, 2023: US DOL Inspector General’s Office Announced Report Citing IT Modernization & Security Concerns

Another Report Earlier This Month Also Identified IT Security Challenges

Official seal of the U.S. Department of Labor’s (DOL) Office of Inspector General (OIG)The U.S. Department of Labor’s (“DOL”) Office of Inspector General (“OIG”) announced on X/Twitter a new Report, titled “Without an IT Modernization Framework, DOL Is Vulnerable to Inadequate Resource Prioritization for Ensuring Security and Availability of DOL Systems.” While the Report is dated November 17, the OIG did not announce it until last Tuesday. The OIG found that the DOL has not developed a formal IT modernization framework, that the DOL could improve elements of its existing process, and that these issues leave the department vulnerable to not prioritizing projects that it most needs to address.

What is IT Modernization?

The OIG explained that information technology (“IT”) modernization “refers to an organization’s efforts to prevent IT systems from becoming outdated, which can lead to poor performance and security concerns.” The DOL’s Chief Information Officer (“CIO”) has responsibility and oversight for over 65 major information systems as well as enterprise IT initiatives across the department. This responsibility includes overseeing the DOL’s efforts “to upgrade IT systems and to ensure that existing IT systems do not become outdated due to lifecycle, technical, or business reasons.”

What Did the OIG Find?

In the 18-page Report, the OIG found that:

“the Department has not developed a formal, documented IT modernization framework. While the CIO has developed several elements that could become part of an IT modernization framework, [the OIG] found those elements are not linked to one another nor documented as part of a larger, formalized process. The CIO’s reason for lack of a documented framework was to keep the approach dynamic. However, a documented framework would ensure consistency going forward rather than leaving DOL’s IT modernization efforts open to interpretation and subject to changes in personnel.

Also, [the OIG] found that at least two of the elements could be improved. First, the agency update documents that the CIO uses to monitor IT modernization projects are incomplete and also agency-curated, instead of being based on the full picture. Second, the inventory of IT systems used to prioritize IT modernization efforts is a spreadsheet that has to be manually updated and does not link to the other elements.

These issues lead to gaps in the CIO’s visibility of the current and future states of DOL’s IT modernization. As a result, DOL is vulnerable to spending valuable time and resources on IT projects that are not the highest priorities for ensuring the security and availability of vital DOL systems.”

Three Recommendations & Responses

As a result of its findings, the OIG made three recommendations:

  1. Document an IT modernization framework including the variety of connections between different elements and publish the information to ensure all Department personnel are aware of how it works. In response, the Office of the Chief Information Officer (“OCIO”) stated it has formalized an IT modernization scoring mechanism which was not yet in place at the time of the audit, and it will take further measures to publish a model that demonstrates the key elements and relationships involved in the process;
  2. Develop documents for IT modernization project discussions that ensure completeness of IT modernization efforts including new projects and enhancements to existing systems. The OCIO addressed this recommendation by stating that it will review and refine documents to ensure the completeness of IT modernization efforts including new projects and enhancements to existing systems;
  3. Implement a system/program to maintain an automated, real-time inventory of all Department systems and applications that enables prioritization of IT modernization. In response, the OCIO stated it will focus on maintaining an inventory of all programs and systems using IT discovery tools, which will be automated, although not necessarily “real-time,” to the extent possible within budget constraints.

Earlier Report on Management & Performance Challenges Also Raised IT Security Concerns

An earlier OIG Report on the DOL’s “Top Management and Performance Challenges,” dated November 15, 2023, also addressed data and IT concerns. The last three pages of the 45-page Report addressed “Managing and Securing Data and Information Systems.” There, the OIG concluded that:

“The Department continues to be challenged in securing and managing data and information systems, particularly in the following areas: (1) maintaining an effective information security program; (2) implementing, utilizing, and securing emerging technologies; and (3) governing a vast IT portfolio to meet DOL and its program agencies’ needs and expectations.”

The OIG then went on to discuss the security deficiencies it found in recent audits:

“We found DOL’s security program had deficiencies in maintaining policies and procedures to comply with current federal requirements, oversight reviews, configuration management, insufficient vulnerability testing, and contingency testing. Additionally, the Department was unable to close 31 of [the prior year recommendations that the OIG made pursuant to the Federal Information Security Modernization Act of 2014.] These deficiencies continue to hinder the Department in identifying security weaknesses; protecting its systems and data; and detecting, responding to, and recovering from incidents.

The Department will continue to be challenged to effectively implement, utilize, and secure new and emerging technologies, including artificial intelligence, advanced analytics, robotic process automation, quantum computing, low-code technology, and the Internet of Things [see here]. DOL struggles in its ability to implement new requirements into its IT practices and programs. The Department has not demonstrated the ability to effectively implement new standards for securing federal data and information systems, such as those applicable to zero trust architecture and supply chain.

…..

Ultimately, the Department faces key challenges in IT security and management that include protecting its IT systems from intrusion by external threats or being compromised by internal entities; securing and safeguarding its data and information systems, including administering endpoint security; managing its IT investment portfolio; and planning, acquiring, replacing, and upgrading IT infrastructure and systems. Further, we are still concerned the remaining systems and agencies that are not part of the IT Shared Services environment are not receiving the governance and oversight required to sufficiently secure all of DOL’s data and information systems.”

What Does DOL Need to Do?

The OIG noted that, while the DOL has made some progress:

“DOL needs to improve its governance and management over all of DOL agencies’ IT and systems. To improve the security of its information systems, the Department still needs to:

  • Strengthen its oversight in implementing information security policies, procedures, and controls.
  • Improve its continuous monitoring program.
  • Focus on recurring information security deficiencies.
  • Implement required information system security standards.
  • Ensure the implementation of security requirements with its third-party cloud systems and IT services.
  • Plan for emerging cybersecurity enhancements, such as zero trust architecture.

To improve the management of its information systems, while having implemented a shared services model within the Office of the Assistant Secretary for Administration and Management for its information technology, the Department needs to:

  • Incorporate the remaining information systems into DOL’s IT Shared Services model.
  • Elevate the CIO’s position to report directly to the Secretary of Labor so the CIO has the necessary authority, independence, and accountability to govern the Department’s IT resources.”

For more background on the DOL OIG, see our recent report here and the DE Under 3 segment here.

In Brief

Tuesday, November 14, 2023: OMB Extended Existing Approval for EEO-1 Survey Component 1 Data Collection Requirements

Approval of Current Collection Extended by Two Years & Three Months

Official Seal of the EEOC featuring Bald Eagle and bannerThe White House Office of Management and Budget (“OMB”) extended its previous one-year approval of the EEO-1 Survey Component 1 Data Collection for another two years and three months. This approval will now expire on November 30, 2026. We previously reported that on August 8, 2023, the OMB approved the Equal Employment Opportunity Commission’s (“EEOC”) proposed changes to this data collection, including eliminating the “types” of EEO-1 reporting (i.e., by discontinuing the requirement for “Type 4” and “Type 8” EEO-1 reports). However, we noted in our previous story that this approval was unusual because it was ONLY for one year – to August 31, 2024. Normally, OMB approvals for “information collection requirements” under the Paperwork Reduction Act (“PRA”), such as the EEO-1 Survey, are for three years. The November 14, 2023, approval is an “[e]xtension without change” to the one made on August 8.

The OMB’s “Terms of Clearance” for the new approval are similar to the previous approval made in August:

“OMB requests that EEOC work closely with OMB to ensure that the collection is preparing to become fully compliant with upcoming revisions to OMB’s Standards for Maintaining, Collecting, and Presenting Federal Data on Race and Ethnicity and any associated OMB guidance. OMB also recommends that EEOC seek the input of affected stakeholders about any revisions as early as possible, and provide respondents with ample notice before making revisions in order to minimize burdens. Finally, OMB expects EEOC to keep it updated about any possible revisions to this report on a regular basis.”

As we reported in May, the OMB anticipates completing its planned revisions to the 1997 Statistical Policy Directive No. 15: Standards for Maintaining, Collecting, and Presenting Federal Data on Race and Ethnicity no later than Summer 2024.

Wednesday, November 22, 2023: Citing Legal Challenges US NLRB Published Formal Notice Extending Effective Date of Joint Employer Rule to February 26, 2024

Official Seal for the National Labor Relations Board (NLRB)As promised, the U.S. National Labor Relations Board (“NLRB”) published a formal Notice in the Federal Register that the effective date of its finalized joint employer Rule is now February 26, 2024, a two-month extension from the original December 26, 2023, implementation date. The Final Rule established a new, broader standard to determine whether two or more employers are joint employers of particular employees within the meaning of the National Labor Relations Act (“NLRA”). The new standard will only apply to cases filed after the Final Rule takes effect. We discussed the Final Rule, published in late October, in detail here. Last week, we reported that the U.S. Government Accountability Office issued a Decision concluding that the original December 26, 2023, implementation date violated the Congressional Review Act.

In the Federal Register Notice, the NLRB stated that it amended the effective date “to facilitate the resolution of the legal challenges with respect to the Final Rule.” Specifically, it mentioned that on November 6, 2023, a petition for review of the Final Rule was filed in the United States Court of Appeals for the District of Columbia Circuit (Service Employees International Union v. NLRB, No. 23–1309). Plus, on November 19, 2023, a challenge to the Final Rule was filed in the U.S. District Court for the Eastern District of Texas (Chamber of Commerce of the United States of America, et. al v. NLRB, No. 6:23–cv–00553).

New Publications

New Publications

Monday, November 20, 2023: U.S. Congressional Research Service Published Report on “42 U.S.C. § 1981’s Contract Clause: Racial Equality in Contractual Relationships” (includes employment context)

Friday, November 24, 2023: U.S. Department of Labor’s Veterans Employment and Training Service published a Federal Register Notice listing alphabetically, by employer name, the 859 employers that it recognized during its virtual 2023 HIRE Vets Medallion Award Ceremony earlier this month (see our story here)

Looking Ahead:
Upcoming Date Reminders

There are no  NEW  items added to our calendar this week:

June 2023: U.S. DOL WHD’s current target date (now overdue) to publish its Final Rule on Nondisplacement of Qualified Workers Under Service Contracts (RIN: 1235-AA42)

June 2023: U.S. OSHA’s current target date (now overdue) to publish its Final Rule on Occupational Exposure to COVID-19 in Healthcare Settings (RIN: 1218-AD36)

August 2023: U.S. DOL WHD’s (now overdue) target date for its Final Rule on Employee or Independent Contractor Classification Under the Fair Labor Standards Act (RIN: 1235-AA43)

August 2023: U.S. NLRB’s (now overdue) target date for its Final Election Protection Rule (RIN: 3142-AA22)

August 2023: U.S. DOL’s OASAM’s (now overdue) target date to publish Proposed Rule on “Revision of the Regulations Implementing Section 188 of the Workforce Innovation and Opportunity Act (WIOA) to Clarify Nondiscrimination and Equal Opportunity Requirements and Obligations Related to Sex” (RIN: 1291-AA44)

November 27, 2023: Comments due on the U.S. Office of Personnel Management’s Interim Final Rule to extend the eligibility date for noncompetitive appointment of military spouses married to a member of the armed forces on active duty through December 31, 2028

December 5, 2023: Submission deadline for EEO-1 Survey Component 1 Data Collection (collection period opened on October 31, 2023)

December 5, 2023: Comments due on the White House Office of Management and Budget’s proposed guidance to federal agencies on how they should implement Biden’s Executive Order on Artificial Intelligence

December 26, 2023: NLRB’s Direct Final Rule revising its procedures governing representation elections takes effect

December 29, 2023: Statutory deadline for EEOC to finalize regulations to enforce the Pregnant Workers Fairness Act

December 2023: OFCCP’s current target date for its Notice of Proposed Rulemaking to “Modernize” Supply & Service Contractor Regulations (RIN: 1250-AA13)

December 2023: OFCCP’s current target date for its Final Rule on “Technical Amendments” to Update Jurisdictional Thresholds & Remove Gender Assumptive Pronouns (RIN: 1250-AA16)

January 1, 2024: U.S. DOL OSHA’s Final Rule Requiring Covered High-Hazard Industry Employers to Electronically Submit Injury & Illness Records takes effect

February 26, 2024: Effective date of NLRB’s Final Rule on Standard for Determining Joint-Employer Status under the NLRA (previous December 26, 2023, effective date extended)

April 3 – April 5, 2024: DEAMcon24 New Orleans – The DEAMcon24 Program is now live!

Register for DEAMcon24

January 1, 2024: The minimum wage for federal contracts covered by Executive Order 13658 (“Establishing a Minimum Wage for Contractors”) (contracts entered into, renewed, or extended prior to January 30, 2022), will increase to $12.90 per hour, and the minimum cash wage for tipped employees increases to $9.05 per hour (See our story here detailing exceptions)

January 1, 2024: The minimum wage for federal contractors covered by Executive Order 14026 (“Increasing the Minimum Wage for Federal Contractors”) (contracts entered into on or after January 30, 2022, or that are renewed or extended on or after January 30, 2022), will increase to $17.20 per hour, and this minimum wage rate will apply to non-tipped and tipped employees alike (See our story here detailing exceptions)

June 2024: OFCCP’s current target date for its Notice of Proposed Rulemaking to Require Reporting of Subcontractors (RIN: 1250-AA15)

THIS COLUMN IS MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF THE CURRENT LAW AND PRACTICE RELATING TO OFCCP. IT IS NOT TO BE REGARDED AS LEGAL ADVICE. COMPANIES OR INDIVIDUALS WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

SUBSCRIBE.

Subscribe to receive alerts, news and updates on all things related to OFCCP compliance as it applies to federal contractors.

1 + 5 =

OFCCP Compliance Text Alerts

Get OFCCP compliance alerts on your cell phone. Text the word compliance to 18668693326 and confirm your subscription. Provider message and data rates may apply.

Share This