DOI’s Software Vulnerability Identification and Remediation Practices (SVIRP)

Title Full

The U.S. Department of the Interior Information Systems at Increased Risk Due to Unmitigated Known Vulnerabilities

Date Issued

Wednesday, September 17, 2025

Submitting OIG

Department of the Interior OIG

Agencies Reviewed/Investigated

Department of the Interior

Components

Office of the Chief Information Officer

Report Number

2023-ITA-007

Report Description

DOI is not consistently reducing cybersecurity risks by remediating software vulnerabilities that have been rated as the most severe.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2023-ITA-007-03	No	$0	$0
We recommend that the Office of the Chief Information Officer query bureaus and offices for all current systems with publicly available interfaces and develop a DOI?wide inventory that maintains IP addressing and service ports, system ownership, and point of contact information.
2023-ITA-007-04	Yes	$0	$0
We recommend that the Office of the Chief Information Officer develop a process whereby all changes to publicly available systems and newly deployed systems are updated in a DOI-wide inventory and included in any security assessments and monitoring.
2023-ITA-007-09	No	$0	$0
We recommend that the Office of the Chief Information Officer require bureaus and offices use updated guidance and resources provided by the Office of the Chief Information Officer, in response to Recommendation 4 of this report, to evaluate and prioritize remediation of vulnerabilities persisting beyond approved timelines.