Submitting OIG:
Report Description:
For our final report on our evaluation of the Office of the Secretary’s (OS’) incident response program, our objective was to assess the adequacy of actions taken by the U.S. Department of Commerce (the Department) and its bureaus when detecting and responding to cyber incidents in accordance with federal and Departmental requirements. Overall, we identified fundamental deficiencies in OS’ cybersecurity incident response program that increased the risk of successful cyberattacks. Specifically, we found the following: I. OS Security Operations Center’s (OS SOC)’s security tools were not properly configured to detect incidents; II. OS SOC did not effectively handle a simulated incident; and III. OS’ Office of the Chief Information Officer did not manage its incident detection and response program in accordance with federal requirements.
Short / Alternative Report Title:
Fundamental Deficiencies in OS’ Cybersecurity Incident Response Program Increase the Risk of Cyberattacks
Date Issued:
Wednesday, March 22, 2023
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
OIG-23-017-I
Component, if applicable:
Office of the Secretary
Location(s):
Agency-Wide
Type of Report:
Inspection / Evaluation
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
14
View Document:
| Attachment | Size |
|---|---|
 OIG-23-017-I.pdf | 2.2 MB |
Additional Details Link: