Submitting OIG:
Report Description:
For our final report on our audit of the U.S. Department of Commerce's (the Department's) system security assessment process, our objective was to assess the effectiveness of the Department's system security assessment and continuous monitoring program to ensure security deficiencies were identified, monitored, and adequately resolved. We found the Department did not effectively execute its continuous monitoring and system
assessment process. Specifically, we found the following: I. the Department did not effectively plan for system assessments; II. the Department did not consistently conduct reliable system assessments; III. the Department did not resolve security control deficiencies within defined completion dates; and IV. the Department’s security system of record—i.e., the cyber security asset and management tool—did not provide accurate and complete assessment and plan of action & milestone data.
Short / Alternative Report Title:
The Department Needs to Improve Its System Security Assessment and Continuous Monitoring Program
Date Issued:
Tuesday, January 25, 2022
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
OIG-22-017-A
Component, if applicable:
Office of the Secretary
Location(s):
Agency-Wide
Type of Report:
Audit
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
8
View Document:
| Attachment | Size |
|---|---|
 OIG-22-017.pdf | 2.94 MB |
Additional Details Link: