Failures in the Department’s Security Program Resulted in Exposure of Sensitive Trade Information to Unvetted Foreign Nationals

For the final report on our audit of the Department of Commerce’s (the Department’s) Enterprise Web Solutions (EWS) system, our objectives were to determine whether the (1) processes used to vet contract staff given administrative access to the EWS system are adequate; (2) Department followed a sufficient process to identify the impact level of the EWS system; (3) Office of the Chief Information Officer took appropriate actions to protect the information on the EWS system after it was granted an authorization to operate in 2018; and (4) contract used to procure EWS services and systems complied with Department acquisition regulations. Because of the serious nature of the cybersecurity issues identified, we determined that this audit report would address the first three objectives, while a separate, follow-on audit may address the fourth. We found that the Department did not protect sensitive data on the EWS system. Many of the problems we identified indicated that the Department had serious and pervasive issues that allowed exposure of sensitive data. Specifically, we found the following: I. The Department exposed sensitive data to unvetted foreign nationals working outside the United States. II. Unauthorized foreign nationals accessed and modified the EWS system after their contract had been terminated. III. The Department mishandled the response to unauthorized access by foreign nationals. IV. The Department failed to account for sensitive data on its systems.