For our final report on the audit of the U.S. Census Bureau's (the Bureau's) incident response process, our audit objective was to assess the adequacy of the Bureau's process to respond to cybersecurity incidents according to federal and U.S. Department of Commerce requirements. We found the following: I. the Bureau missed opportunities to mitigate a critical vulnerability, which resulted in the exploitation of vital servers; II. the Bureau did not discover and report the incident in a timely manner; III. the Bureau did not maintain sufficient system logs, which hindered incident investigation; IV. the Bureau did not conduct a lessons-learned session; and V. the Bureau continued operating servers that were no longer supported by the vendor.
Report File
Date Issued
Submitting OIG
Department of Commerce OIG
Other Participating OIGs
Department of Commerce OIG
Agencies Reviewed/Investigated
Department of Commerce
Components
U.S. Census Bureau
Report Number
OIG-21-034-A
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
5
Questioned Costs
$0
Funds for Better Use
$0
