Security Weaknesses in the Department’s Mission-Critical High Value IT Assets Leave the Assets Vulnerable to Cyberattacks

For this audit, our objective was to determine if the U.S. Department of Commerce and its bureaus identify and remediate vulnerabilities on their high value IT assets (HVAs) in accordance with federal requirements. We found that while the Department conducts HVA assessments in accordance with federal requirements, it did not always effectively identify and remediate vulnerabilities. It also did not follow best practice security guidance for HVAs. As a result, I. HVAs are operating with significant risk due to unresolved vulnerabilities; and II. OIG successfully exploited security weaknesses on multiple HVAs. All seven of the HVAs in our review had at least one exploitable vulnerability type, and the Department’s vulnerability scanners do not always identify vulnerabilities in HVAs. We also learned during our audit that the U.S. Patent and Trademark Office (USPTO) had asked the Department to downgrade all of its HVAs to non-HVAs. In September 2023, the Department’s Chief Information Officer agreed to downgrade the majority of USPTO’s HVAs.