Interior Incident Response Program Calls for Improvement

We evaluated the Department to determine whether it effectively follows the incident response lifecycle, as defined by the National Institute of Standards and Technology (NIST). We found that the Office of the Chief Information Officer (OCIO) had not fully implemented the capabilities recommended by NIST in its incident detection and response program. During internal threat simulation testing, most of our efforts to conduct reconnaissance, identify vulnerabilities, exfiltrate sensitive data, and communicate with known malicious command and control servers on the internet went unnoticed by the Department.The Department’s decentralized management and authority across the OCIO and bureaus, combined with the flattened internal networks, has eliminated many of the technical security boundaries within the Department’s network – essentially creating blind spots where the OCIO cannot detect malicious activity. Our emulation of malicious activity was successful, in part, because of these blind spots. The Department’s assignment of responsibilities between the OCIO and the bureaus emphasized the Department’s inability to detect and respond to these blind spots.The bureaus and offices had varying levels of capabilities, resources, and approaches to incident response. Even those with more incident response resources relied heavily on the OCIO for perimeter security controls and monitoring services, which were inconsistently shared with the bureaus. Since the OCIO did not establish the foundation necessary to successfully prepare for responding to incidents, the Department could not detect, contain, or recover from incidents in a timely manner.Without a centralized program, Department and bureau incident response teams did not have an effective roadmap outlining policies, procedures, and responsibilities for handling incident response activities. We made 23 recommendations to help the Department improve its incident response program, so it can promptly detect and fully contain cyber threats to maintain the availability, confidentiality, and integrity of Department computer systems and data. The Department concurred with all of our recommendations and is working to implement them.