WASHINGTON – Today, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, requested information from the National Mediation Board (NMB) following a recent Government Accountability Office (GAO) report that the agency has failed to implement crucial reforms to secure sensitive government information and ensure operations during a crisis. The report also details NMB’s issues with filling staff vacancies that have negatively impacted its ability to fulfill responsibilities.
According to federal law, GAO is required to conduct an audit of NMB’s programs and activities every two years, where they often recommend reforms to improve operations. An April 2024 report found that NMB failed to implement GAO’s 2020 recommendation to update its information technology (IT) systems to meet Federal Risk and Authorization Management Program (FedRAMP) standards. Since 2011, all executive branch agencies that use cloud services to hold federal data must use services that are FedRAMP certified. This is a crucial precaution to ensure all cloud services have sufficient security authorizations and that the federal government’s data is sufficiently protected. Additionally, NMB has not updated its continuity of operations plan since 2016 as recommended by GAO. This plan is crucial to ensure employees have clear guidance on the official NMB chain of command and protocol in the event of an emergency.
GAO's report also raises serious concerns that NMB has been unable to fill many of its vacant positions, some of which have been open for years. This problem is likely to continue as more than half of NMB's staff are or will be eligible for retirement within the next five years.
Cassidy is seeking clarity from NMB on why it has not implemented these crucial reforms and how it will address the multiple issues raised by GAO.
“NMB’s failure to implement years-old GAO recommendations to protect its information security systems and to address NMB’s staff recruitment and impending retirement cliff raises significant concerns,” wrote Dr. Cassidy. “In light of the role NMB played in staving off economic catastrophe in the negotiations between railway workers and carriers in 2022, and the potential that NMB may have to perform a similar role in the near future for other industries, NMB must take decisive action to correct these shortcomings.”
Read the full letter here or below.
Dear Chair Hamilton:
On April 26, the Government Accountability Office (GAO) issued a report recommending actions the National Mediation Board (NMB) should take to update the agency’s cybersecurity protocols and implement workforce planning, training, and personnel policies to ensure NMB is able to carry out its statutory mission.[1] NMB is a critical component of domestic labor-management relations for our nation’s railroad and airline industries. NMB’s failure to implement years-old GAO recommendations to protect its information security systems and to address NMB’s staff recruitment and impending retirement cliff raises significant concerns.
GAO is statutorily obligated to conduct an audit of NMB’s programs and activities every two years.[2] Since 2012, GAO has issued six reports to NMB with a total of 22 recommendations, all of which NMB agreed with.[3] NMB has not, however, fully implemented two of these recommendations, which both seek to strengthen NMB’s information security practices.[4] For example, in its most recent report, GAO found that NMB still uses a continuity of operations plan that has not been updated since 2016.[5] A continuity of operations plan is supposed to ensure that an agency can continue its primary, mission-essential functions during a variety of emergency situations. However, NMB’s existing plan directs employees to report to the Chief of Staff and an Assistant Chief of Staff for Administration—two positions that no longer exist at NMB.[6] This failure to secure the chain of command in an agency integral to national commerce is unacceptable.
GAO also found that NMB has failed to implement GAO’s 2020 recommendation to implement information technology (IT) systems that meet the federal government’s standard for security.[7] The federal government uses the Federal Risk and Authorization Management Program (FedRAMP) to ensure all of its cloud products have sufficient security authorizations to protect the federal government’s data. In fact, since 2011, all executive branch agencies that use cloud services to hold federal data must use services that are FedRAMP certified.[8] Notwithstanding GAO’s recommendation and the long-standing requirement, NMB has failed to transition all of its IT systems to FedRAMP-certified systems. Again, this failure to implement GAO’s recommendation aimed at protecting NMB’s IT systems from breach for four years is inexcusable.
GAO identified a number of forward-looking concerns with NMB’s internal policies and strategies for ensuring it has the appropriate workforce to continue its mission in the coming years. I am particularly concerned about NMB’s inability to fill vacant positions and its impending retirement cliff. According to GAO, NMB has a “high number” of vacant positions—some of which have been vacant for years—and nearly half of NMB’s current staff are, or will be, retirement-eligible in the next five years. I share GAO’s concerns with NMB’s staffing capabilities and the potential that NMB could lose nearly half of its staff to retirement with no plan or ability to replace them.
In a May 15 letter, NMB stated that it has reviewed and “continues to make progress” on GAO’s recommendations.[9] According to that letter, NMB completed a “Workforce and Succession Plan, 2024-2028” in May 2024, but NMB did not provide any details on that plan or how it helps to fix the problems identified in GAO’s report.[10]
In light of the role NMB played in staving off economic catastrophe in the negotiations between railway workers and carriers in 2022, and the potential that NMB may have to perform a similar role in the near future for other industries, NMB must take decisive action to correct these shortcomings. To better understand NMB’s plans to ensure its IT security, continuity of information, and long-term personnel stability, I ask that you answer the following questions, on a question-by-question basis, by close of business on June 13, 2024.
Thank you for your prompt attention to this important matter.
For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP. Click here to unsubscribe.