Submitting OIG:
Report Description:
We evaluated the U.S. Department of the Interior’s (DOI’s) and the U.S. Geological Survey’s (USGS’) implementation of Phase 1 of the Continuous Diagnostics and Mitigation (CDM) program for a USGS system.
Our evaluation revealed control deficiencies for hardware and software asset management and configuration management. Specifically, the DOI did not require bureaus and offices to maintain accurate hardware asset inventories for information systems, which prevented them from monitoring key security metrics through the DOI’s CDM dashboard. We also found that the DOI did not implement software blacklists or whitelists to help ensure that unapproved, unsupported, or potentially malicious software was not present on system computing devices. Further, we found that the USGS failed to require systems to operate with only those ports, protocols, and services necessary for essential operations, which increased their vulnerability to attack, and that the USGS did not timely mitigate vulnerabilities on USGS-owned system assets.
Short / Alternative Report Title:
DOI OIG - Weaknesses in a USGS System Leave Assets at Increased Risk of Attack
Date Issued:
Tuesday, March 30, 2021
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
2019-ITA-003
Component, if applicable:
U.S. Geological Survey
Location(s):
United States
Type of Report:
Inspection / Evaluation
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
8
View Document:
Attachment | Size |
---|---|
FinalEvaluationUSGSSystemPublic.pdf | 3.5 MB |