Inadequate Management of Active Directory Puts USPTO's Mission at Significant Cyber Risk

View Report

Date Issued

Thursday, June 13, 2019

Submitting OIG

Department of Commerce OIG

Other Participating OIGs

Department of Commerce OIG

Agencies Reviewed/Investigated

Department of Commerce

Components

U.S. Patent and Trademark Office

Report Number

OIG-19-014-A

Report Description

Our audit objective was to determine whether the U.S. Patent and Trademark Office has adequately managed its Active Directory to protect mission critical systems and data. Our review focused on fundamental security practices of Active Directory management and security control implementations of the servers hosting Active Directory .

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
4	No	$0	$0
We recommend that the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office direct the Chief Information Officer to ensure PIV card technology compatibility with on-going and future system development for USPTO next-generation applications, and switch PIV enforcement to a per-user basis, when technically feasible.