P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk

Date Issued

Tuesday, January 3, 2023

Submitting OIG

Department of the Interior OIG

Other Participating OIGs

Department of the Interior OIG

Agencies Reviewed/Investigated

Department of the Interior

Components

Office of the Chief Information Officer

Report Number

2021ITA005

Report Description

The DOI’s management practices and password complexity requirements were not sufficient to prevent potential unauthorized access to systems and data.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2021-ITA-005-01	Yes	$0	$0
We recommend that the Department prioritize implementing PIV or other Department-approved MFA methods that cannot be bypassed to allow single-factor authentication for all applications, starting with the Department's HVAs.
2021-ITA-005-05	No	$0	$0
We recommend that the Department prioritize the inventory, monitoring, and enforcement of existing controls as well as the controls we recommended in this report for accounts belonging to senior Government employees or accounts with elevated privileges.
2021-ITA-005-08	No	$0	$0
We recommend that the Department establish procedures and accountability mechanisms to ensure compliance with policies regarding account management monitoring and timely disabling of inactive accounts.