Ranking Member Cassidy Seeks Clarity on National Mediation Board’s Failure to Implement Data Security Reforms, Maintain Adequate Staffing

WASHINGTON – Today, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, requested information from the National Mediation Board (NMB) following a recent Government Accountability Office (GAO) report that the agency has failed to implement crucial reforms to secure sensitive government information and ensure operations during a crisis. The report also details NMB’s issues with filling staff vacancies that have negatively impacted its ability to fulfill responsibilities.  

According to federal law, GAO is required to conduct an audit of NMB’s programs and activities every two years, where they often recommend reforms to improve operations. An April 2024 report found that NMB failed to implement GAO’s 2020 recommendation to update its information technology (IT) systems to meet Federal Risk and Authorization Management Program (FedRAMP) standards. Since 2011, all executive branch agencies that use cloud services to hold federal data must use services that are FedRAMP certified. This is a crucial precaution to ensure all cloud services have sufficient security authorizations and that the federal government’s data is sufficiently protected. Additionally, NMB has not updated its continuity of operations plan since 2016 as recommended by GAO. This plan is crucial to ensure employees have clear guidance on the official NMB chain of command and protocol in the event of an emergency. 

GAO's report also raises serious concerns that NMB has been unable to fill many of its vacant positions, some of which have been open for years. This problem is likely to continue as more than half of NMB's staff are or will be eligible for retirement within the next five years.  

Cassidy is seeking clarity from NMB on why it has not implemented these crucial reforms and how it will address the multiple issues raised by GAO.  

“NMB’s failure to implement years-old GAO recommendations to protect its information security systems and to address NMB’s staff recruitment and impending retirement cliff raises significant concerns,” wrote Dr. Cassidy. “In light of the role NMB played in staving off economic catastrophe in the negotiations between railway workers and carriers in 2022, and the potential that NMB may have to perform a similar role in the near future for other industries, NMB must take decisive action to correct these shortcomings.” 

Read the full letter here or below. 

Dear Chair Hamilton: 

On April 26, the Government Accountability Office (GAO) issued a report recommending actions the National Mediation Board (NMB) should take to update the agency’s cybersecurity protocols and implement workforce planning, training, and personnel policies to ensure NMB is able to carry out its statutory mission.^[1] NMB is a critical component of domestic labor-management relations for our nation’s railroad and airline industries. NMB’s failure to implement years-old GAO recommendations to protect its information security systems and to address NMB’s staff recruitment and impending retirement cliff raises significant concerns. 

GAO is statutorily obligated to conduct an audit of NMB’s programs and activities every two years.^[2] Since 2012, GAO has issued six reports to NMB with a total of 22 recommendations, all of which NMB agreed with.^[3] NMB has not, however, fully implemented two of these recommendations, which both seek to strengthen NMB’s information security practices.^[4] For example, in its most recent report, GAO found that NMB still uses a continuity of operations plan that has not been updated since 2016.^[5] A continuity of operations plan is supposed to ensure that an agency can continue its primary, mission-essential functions during a variety of emergency situations. However, NMB’s existing plan directs employees to report to the Chief of Staff and an Assistant Chief of Staff for Administration—two positions that no longer exist at NMB.^[6] This failure to secure the chain of command in an agency integral to national commerce is unacceptable. 

GAO also found that NMB has failed to implement GAO’s 2020 recommendation to implement information technology (IT) systems that meet the federal government’s standard for security.^[7] The federal government uses the Federal Risk and Authorization Management Program (FedRAMP) to ensure all of its cloud products have sufficient security authorizations to protect the federal government’s data. In fact, since 2011, all executive branch agencies that use cloud services to hold federal data must use services that are FedRAMP certified.^[8] Notwithstanding GAO’s recommendation and the long-standing requirement, NMB has failed to transition all of its IT systems to FedRAMP-certified systems. Again, this failure to implement GAO’s recommendation aimed at protecting NMB’s IT systems from breach for four years is inexcusable. 

GAO identified a number of forward-looking concerns with NMB’s internal policies and strategies for ensuring it has the appropriate workforce to continue its mission in the coming years. I am particularly concerned about NMB’s inability to fill vacant positions and its impending retirement cliff. According to GAO, NMB has a “high number” of vacant positions—some of which have been vacant for years—and nearly half of NMB’s current staff are, or will be, retirement-eligible in the next five years. I share GAO’s concerns with NMB’s staffing capabilities and the potential that NMB could lose nearly half of its staff to retirement with no plan or ability to replace them. 

In a May 15 letter, NMB stated that it has reviewed and “continues to make progress” on GAO’s recommendations.^[9] According to that letter, NMB completed a “Workforce and Succession Plan, 2024-2028” in May 2024, but NMB did not provide any details on that plan or how it helps to fix the problems identified in GAO’s report.^[10] 

In light of the role NMB played in staving off economic catastrophe in the negotiations between railway workers and carriers in 2022, and the potential that NMB may have to perform a similar role in the near future for other industries, NMB must take decisive action to correct these shortcomings. To better understand NMB’s plans to ensure its IT security, continuity of information, and long-term personnel stability, I ask that you answer the following questions, on a question-by-question basis, by close of business on June 13, 2024. 

1. Detail all reasons why NMB has not fully implemented GAO’s 2013 recommendation to ensure information security by keeping an up-to-date continuity of operations plan. Included in the response, please detail:

1. Why NMB has not updated its continuity of operations plan since 2016;

2. Any information NMB has communicated to its employees regarding its continuity plan in light of the fact that NMB eliminated two top positions included on the existing plan; 

3. By what date NMB plans to update its information security plans, including its continuity of operations plan; and

4. Does NMB plan to regularly update this plan? If so, how often?

2. Detail all reasons why NMB continues to use cloud services that are not approved by FedRAMP despite the decade-old requirement that all cloud services receive such approval before being implemented. Included in the response, please detail:

1. Any and all obstacles NMB has faced in transitioning all cloud services to FedRAMP-approved cloud services;

2. Why NMB has been able to successfully transition other cloud services to a FedRAMP-approved services, but not the two identified in the latest GAO report; and

3. By what date NMB plans to transition all cloud services to FedRAMP-approved cloud services.

3. What steps does NMB currently take to ensure all agency information is and remains secure? Included in the response, please detail:

1. The percentage of NMB employees who work remotely more than twice per week;

2. Detailed information regarding the additional IT security procedures in place for employees working remotely; and

3. Provide a copy of all policies related to IT security currently in place.

4. What training, if any, does NMB provide to new employees to perform their primary responsibilities, and how often does NMB provide substantive training for an employee’s primary job duties? Please provide documentary examples of the training provided.

5. Does NMB provide additional training to employees if employees are asked to perform duties outside of their primary job description? If so, please detail the kinds of additional duties employees are asked to perform and the training provided to help them succeed.

6. In light of GAO’s finding that nearly half of NMB’s employees are, or will become, retirement-eligible in the next five years, what, if any, plans does NMB have in place to bridge the upcoming retirement cliff?

1. What steps is NMB taking now to hire and train new employees?

2. What obstacles has NMB encountered in hiring new employees to either bridge the impending retirement cliff or to fill the “high number” of current vacancies?

3. If NMB is not successful in hiring new employees to fill current vacancies, how does NMB plan to ensure it is able to carry out its mission to facilitate labor relations in some of the nation’s largest industries of interstate commerce?

4. Provide a copy of NMB’s recently updated “Workforce and Succession Plan, 2024-2028.”

Thank you for your prompt attention to this important matter.

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP. Click here to unsubscribe.