DOI’s Software Vulnerability Identification and Remediation Practices (SVIRP)

View Report

Title Full

The U.S. Department of the Interior Information Systems at Increased Risk Due to Unmitigated Known Vulnerabilities

Date Issued

Wednesday, September 17, 2025

Submitting OIG

Department of the Interior OIG

Agencies Reviewed/Investigated

Department of the Interior

Components

Office of the Chief Information Officer

Report Number

2023-ITA-007

Report Description

DOI is not consistently reducing cybersecurity risks by remediating software vulnerabilities that have been rated as the most severe.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2023-ITA-007-01	Yes	$0	$0
We recommend that the Office of the Chief Information Officer require DOI bureaus and offices to prioritize vulnerability remediation according to risk as defined by the system owner and ensure that all overdue known exploited vulnerabilities are validated and remediated.
2023-ITA-007-02	No	$0	$0
We recommend that the Office of the Chief Information Officer review and analyze DOI bureau and office vulnerability scan results against their internal procedures to identify and implement overall improvements across DOI.
2023-ITA-007-03	No	$0	$0
We recommend that the Office of the Chief Information Officer query bureaus and offices for all current systems with publicly available interfaces and develop a DOI?wide inventory that maintains IP addressing and service ports, system ownership, and point of contact information.
2023-ITA-007-04	Yes	$0	$0
We recommend that the Office of the Chief Information Officer develop a process whereby all changes to publicly available systems and newly deployed systems are updated in a DOI-wide inventory and included in any security assessments and monitoring.
2023-ITA-007-05	No	$0	$0
We recommend that the Office of the Chief Information Officer conduct regular reviews of all open vulnerabilities that are older than the required completion timeframes and ensure that any vulnerabilities that have not been closed are tracked in accordance with Federal requirements.
2023-ITA-007-06	No	$0	$0
We recommend that the Office of the Chief Information Officer establish a vulnerability management process that includes using historical data to identify and report vulnerabilities that have persisted beyond required remediation timeframes and sharing the data with bureaus and offices.
2023-ITA-007-07	No	$0	$0
We recommend that the Office of the Chief Information Officer require bureaus and offices use available tools to periodically evaluate for vulnerabilities persisting beyond approved timelines and prioritize their remediation.
2023-ITA-007-08	No	$0	$0
We recommend that the Office of the Chief Information Officer require bureaus and offices remediate any vulnerabilities persisting beyond the timeframes required by Federal guidelines and Department policies.
2023-ITA-007-09	No	$0	$0
We recommend that the Office of the Chief Information Officer require bureaus and offices use updated guidance and resources provided by the Office of the Chief Information Officer, in response to Recommendation 4 of this report, to evaluate and prioritize remediation of vulnerabilities persisting beyond approved timelines.