For our audit of the U.S. Department of Commerce’s (the Department’s) Enterprise Continuous Diagnostics and Mitigation (ECDM) program, our objective was to assess the effectiveness of the program. To address this objective, we assessed data quality, data security, and aspects of program management in a recent ECDM tool procurement decision. We found that I. ECDM data quality does not fully support Department oversight and reporting needs; II. The National Institute of Standards and Technology does not consistently control and thoroughly test the ECDM program’s information system changes; III. The ECDM program’s information system is relatively secure but has some internal security weaknesses; IV. Deficiencies in ECDM program management place future enterprise cybersecurity tool deployments at risk; and V. The Department does not fully incorporate bureau-incurred costs in its ECDM project cost tracking.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1. | Yes | $0 | $5,619,299 | ||
| 1. We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer to develop and implement oversight mechanisms to manage and track whether bureaus meet hardware asset management, software asset management, configuration security management, and vulnerability management data collection and reporting requirements. Implementing this recommendation will lead to funds being put to better use. | |||||
| 2. | Yes | $0 | $0 | ||
| 2. We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer develop and implement oversight mechanisms to ensure Department cybersecurity data reported in the CDM agency dashboard and used in CIO FISMA metric reporting accurately reflects the Department’s cybersecurity posture. | |||||
| 3. | Yes | $0 | $0 | ||
| 3. We recommend that the Deputy Secretary of Commerce direct the Department’s Chief Information Officer and NIST’s Chief Information Officer to design and implement a technical control to prevent changes to the production environment without proper configuration change control processes and testing. | |||||
| 7. | Yes | $0 | $0 | ||
| 7. We recommend the Deputy Secretary of Commerce direct the Department’s Chief Information Officer to design and implement a process to track and report bureau-incurred ECDM program costs for improved cost reporting and analysis of cost-saving opportunities. | |||||
