Sorry, you need to enable JavaScript to visit this website.
Skip to main content
Report File
Title Full
Audit of the Department’s Vulnerability Reporting and Resolution Program
Date Issued
Submitting OIG
Department of Commerce OIG
Agencies Reviewed/Investigated
Department of Commerce
Report Number
OIG-26-002-A
Report Description

We assessed the effectiveness of the Department’s program for managing public-reported vulnerabilities in its public-facing information technology systems. We found that the Department established a vulnerability disclosure program; however, it was not fully effective. Specifically, the Department’s vulnerability disclosure policy (VDP) did not include all internet-accessible systems, the VDP’s testing guidelines restricted the tools public security researchers could use to identify system vulnerabilities, the Department did not always fully remediate reported vulnerabilities, and the Department did not always remediate vulnerabilities within established deadlines.

 

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
3
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
External Link
https://www.oig.doc.gov/reports/?entry=54881

Open Recommendations

This report has 3 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 No $0 $0

We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer to revise the Department’s VDP testing scope to align with CISA’s BOD 20-01, Develop and Publish a Vulnerability Disclosure Policy, which would include testing all internet-accessible systems.

2 No $0 $0

We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer to update and implement VDP reporting and resolution standard operating procedures to ensure that vulnerability remediation is comprehensive across impacted systems.

3 No $0 $0

We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer to work with bureaus to establish and implement an automated solution to coordinate communication between the contractor and bureaus and to prompt action on delayed vulnerability remediation based on impact level.

Department of Commerce OIG

United States