Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

The U.S. Department of the Interior’s Cyber Risk Management Practices Leave Its Systems at Increased Risk of Compromise

Submitting OIG: 
Department of the Interior OIG
Report Description: 
DOI systems were operating without authorization, and the DOI did not consistently analyze and monitor security weaknesses.
Short / Alternative Report Title: 
The DOI’s Cyber Risk Management Practices Leave Its Systems at Increased Risk of Compromise
Date Issued: 
Tuesday, February 28, 2023
Agency Reviewed / Investigated: 
Department of the Interior
Submitting OIG-Specific Report Number: 
2020–ITA–030
Component, if applicable: 
Office of the Chief Information Officer
Location(s): 
Agency-Wide
Type of Report: 
Inspection / Evaluation
Questioned Costs: 
$0
Funds for Better Use: 
$0
Number of Recommendations: 
11
View Document: 
AttachmentSize
PDF icon Final-Evaluation-ReportDOI-Cyber-Risk-ManagementPublic.pdf1.24 MB

Related Open Recommendations

Recommendation Number Recommendation Status Significant Recommendation Additional Details
2020-ITA-030-01 Open Yes
We recommend that the OCIO Develop and implement a process to evaluate all systems’ Authorizations to Operate annually for accuracy and completeness to ensure systems are operating with a valid authorization determined by actual residual risk.
2020-ITA-030-02 Open Yes
We recommend that the OCIO Develop and implement a process to conduct quality control reviews at least annually to ensure that all systems within the official system of record (Cyber Security Assessment and Management system) have an accurate operating status.
2020-ITA-030-03 Open No
We recommend that the OCIO Develop and implement a process to validate the accuracy of bureau and office annual assurance statements before submitting the statements to Congress.
2020-ITA-030-04 Open No
We recommend that the OCIO in addition to ongoing continuous monitoring, develop and implement a policy to direct system owners to test all of the controls for their systems at least every 3 years.
2020-ITA-030-05 Open No
We recommend that the OCIO develop and implement a policy to ensure data and control implementation status are accurately represented in the official system of record.
2020-ITA-030-06 Open No
We recommend that the OCIO develop and implement a policy to verify that bureaus and offices perform control assessments every 3 years.
2020-ITA-030-07 Open No
We recommend that the OCIO develop and implement a review process that includes, at minimum, verifying that system owners have completed required testing for a sample of controls for each system before accepting the annual assurance statement.
2020-ITA-030-08 Open No
We recommend that the OCIO develop and implement a comprehensive quality control plan to perform required quarterly reviews of Plans of Action and Milestones in the official system of record to ensure that bureaus and offices address them in a timely manner, close them as appropriate, and continuously monitor and track them.
2020-ITA-030-09 Open No
We recommend that the OCIO Direct system owners to perform annual reviews of the data contained in all operational IT systems to ensure that an accurate privacy impact assessment has been completed and, when necessary, adjust the system’s security categorization.
2020-ITA-030-10 Open No
We recommend that the OCIO Develop and implement a process to ensure that a Privacy Impact Assessment is conducted before a system is granted Authorization to Operate.

Pages

Displaying 10 of 11 Recommendations