CBP's Configuration Management Practices Did Not Effectively Prevent System Outage

While U.S. Customs and Border Protection’s (CBP) actions to implement prior OIG outage-related recommendations could not have prevented the onset of the nation-wide outage on August 16, 2019, the steps taken did help minimize the length and severity of disruptions to passenger screening. By addressing OIG recommendations, CBP established a more effective control structure for monitoring passenger screening systems, thus enabling prompt action to identify and resolve the outage. However, CBP’s configuration management policies and procedures were not sufficient to prevent the 2019 outage. Specifically, CBP’s critical passenger applications were operating on an Oracle database device that was not properly configured, and, did not have up-to-date patches. The outage resulted in longer wait times and delays up to 2.5 hours for arriving passengers, as well as the need for CBP to revert to less effective backup systems to support passenger screening procedures. CBP personnel faced additional challenges during the outage, as they were unable to quickly access “offline” systems and were not fully prepared for backup procedures. This was due to inadequate training and ineffective communication from CBP Headquarters during the outage. CBP should address these deficiencies, which may increase the risk of entry of unauthorized aliens who could threaten our Nation’s security. We made five recommendations to improve training, procedures, processes, and employee awareness. CBP concurred with all five of our recommendations.