Submitting OIG:
Report Description:
For this audit, our objective was to determine if the U.S. Department of Commerce and its bureaus identify and remediate vulnerabilities on their high value IT assets (HVAs) in accordance with federal requirements. We found that while the Department conducts HVA assessments in accordance with federal requirements, it did not always effectively identify and remediate vulnerabilities. It also did not follow best practice security guidance for HVAs. As a result, I. HVAs are operating with significant risk due to unresolved vulnerabilities; and II. OIG successfully exploited security weaknesses on multiple HVAs. All seven of the HVAs in our review had at least one exploitable vulnerability type, and the Department’s vulnerability scanners do not always identify vulnerabilities in HVAs. We also learned during our audit that the U.S. Patent and Trademark Office (USPTO) had asked the Department to downgrade all of its HVAs to non-HVAs. In September 2023, the Department’s Chief Information Officer agreed to downgrade the majority of USPTO’s HVAs.
Short / Alternative Report Title:
Security Weaknesses Leave the Department’s Mission-Critical High Value IT Assets Vulnerable to Cyberattacks
Date Issued:
Thursday, September 28, 2023
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
OIG-23-030-A
Location(s):
Agency-Wide
Type of Report:
Audit
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
4
Report updated under NDAA 5274:
No
View Document:
| Attachment | Size |
|---|---|
 HVA-vulnerabilities-final-report-SECURED.pdf | 1.71 MB |
Additional Details Link: