GSA Should Strengthen the Security of Its Robotic Process Automation Program

View Report

Date Issued

Tuesday, August 6, 2024

Submitting OIG

General Services Administration OIG

Other Participating OIGs

General Services Administration OIG

Agencies Reviewed/Investigated

General Services Administration

Report Number

A230020BTF24004

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
We recommend that GSA’s Chief Financial Officer and Chief Information Officer conduct a comprehensive assessment of GSA’s CIO-IT Security-19-97, IT Security Procedural Guide: Robotic Process Automation (RPA) Security, (RPA policy) to ensure, among other things, that its monitoring controls are effectively designed and implemented.
2	Yes	$0	$0
We recommend that GSA’s Chief Financial Officer and Chief Information Officer develop oversight mechanisms to enforce compliance with the RPA policy and ensure that controls are operating effectively.
4	Yes	$0	$0
We recommend that GSA’s Chief Financial Officer and Chief Information Officer review all system security plans that bots currently interact with to determine if they address bot and non-person entity access. Update the system security plans, as needed.
6	Yes	$0	$0
We recommend that GSA’s Chief Financial Officer and Chief Information Officer review all system security plans that bots currently interact with to determine if the security controls need to be updated. Update the system security plans, as needed.
7	Yes	$0	$0
We recommend that GSA’s Chief Financial Officer and Chief Information Officer develop a comprehensive process for removing bot custodian and bot developer access for decommissioned bots and GSA systems that: aligns with GSA’s CIO-IT Security-01-07, IT Security Procedural Guide: Access Control (AC) (access control policy); tracks and documents that access has been removed; and incorporates the process into the RPA policy.