Although the Department had several notable improvements in implementing its cybersecurity initiatives, its overall IT security programs and practices were not effective in all of the five security functions. We had findings in all eight metric domains, which included findings with the same or similar conditions identified in prior reports. Specifically, we found that the Department can strengthen its controls in areas such as - (1) Risk Management. Remediation process for its Plan of Action and Milestones; enterprise supply chain assessment strategy; IT inventory reporting; and required IT security clauses for its contracts: (2) Configuration Management. Use of unsecure connections and appropriateapplication connection protocols; and reliance on unsupported operating systems, databases, and applications in its production environments:(3) Identify and Access Management. Removing access of terminated users to the Department’s network and database management: and(4) Incident Response. Timely reporting of incidents; and ensuring data loss prevention tools work accordingly. Until the Department improves in these areas, it cannot ensure that its overall information security program adequately protects its systems and resources fromcompromise and loss.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish oversight controls to ensure that POA&Ms are assigned with the required criticality impact levels and remediation is conducted within the required timeframes. | |||||
| 1.2 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop and implement a Department-wide ICT supply chain risk management strategy to include the supply chain risk tolerance, acceptable supply chain risk mitigation strategies, and foundational practices. | |||||
| 1.3 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop a process to evaluate and routinely monitor supply chain risks associated with the development, acquisition, maintenance, and disposal of systems and products. | |||||
| 1.4 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish and automate procedures to ensure all Department-wide IT inventories are accurate, complete, and periodically tested for accuracy. Include steps to establish that all IT contracts are reviewed and verified for applicable privacy, security, and access provisions. | |||||
| 1.5 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to verify and periodically reconcile the accuracy of cloud service provider inventories in or against CSAM. | |||||
| 2.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to incorporate additional measures to, at a minimum, achieve Level 4 Managed and Measurable status of the Configuration Management program. | |||||
| 2.2 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop enhanced oversight controls to ensure all Department connections are migrated to TLS 1.2 or higher cryptographic protocol. | |||||
| 2.3 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to enhance implementation controls to prioritize and apply the most up-to-date and timely software patches and security updates to the identified systems and information technology solutions. | |||||
| 2.4 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish stronger monitoring controls to enforce the management of unsupported system components and track and discontinue the use of unsupported operating systems, databases, and applications. | |||||
| 2.5 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop verification procedures and enforce the inactivity settings to ensure virtual private network sessions time out after 30 minutes of inactivity. | |||||
| 2.6 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to correct or mitigate the vulnerabilities identified during the securityassessment, in accordance with the severity level of each vulnerability identified. | |||||
| 3.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish oversight controls to ensure the Department's password, terminations, and deactivation policies are enforced accordingly. | |||||
| 3.2 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to enforce the mandate for all websites to display warning banners when users login to Departmental resources, and establish additional procedures and monitoring processes to ensure that banners includethe approved warning language. | |||||
| 3.3 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish and enforce a corrective action plan to monitor and remediate identified database vulnerabilities. | |||||
| 4.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Senior Agency Official for Privacy to establish additional processes, procedures, and monitoring controls to validate, track and enforce the completion of PIAs, PTAs, and SORNs. | |||||
| 5.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish monitoring and oversight controls that ensure all new users satisfy all of the mandatory training requirements before they receive access to Departmental resources. | |||||
| 6.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish oversight controls to review, monitor and verify progress of the ISCM strategy, as well as the annual reviews of all Departmental cyber security policies, to reflect the current environment. | |||||
| 7.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to incorporate additional measures to, at a minimum, achieve Level 4 Managed and Measurable status of the Incident Response program. | |||||
| 7.2 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop and implement oversight controls to ensure that incidents are consistently submitted to US-CERT and the OIG within the required timeframes, are consistently categorized, and include the correctvector elements as required. | |||||
| 7.3 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish monitoring controls to ensure policies and procedures are updated frequently to contain the most updated information (i.e., contractual obligations) and those specifically relating to computer incident reporting to OIG are enforced accordingly. | |||||
| 7.4 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop and implement testing procedures and enhance current policies and processes to ensure that the DLP solution works as intended for the blocking of sensitive information transmission. | |||||
| 8.1 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to improve oversight controls that ensures contingency plan tests, and other artifacts impacting contingency plan testing, are documented, and updated in a consistent and timely manner. | |||||
| 8.2 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to develop additional processes and controls to confirm the proper validation and verification of all required contingency planning controls is documented accordingly before completing the SSP checklists and granting authorization to cloud service providers. | |||||
| 8.3 | Yes | $0 | $0 | ||
| We recommend that the Chief Information Officer require the Department to establish additional procedures and controls to assure stakeholders are properly adhering to contingency planning guidance. | |||||
