Open Recommendations

Implement a formalized process to validate or follow up on account removal actions identified during the semi-annual review process to ensure that user accounts align with job responsibilities and least privilege concepts.

Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.

Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.

Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.

Update and implement existing configuration management procedures for all servers, printers, and services on the production network to enforce changing default credentials before the server or printer is connected to the network.

Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.

We recommend that the Manager, Thomas Jefferson Site Office (TJSO), direct Jefferson Science Associates, LLC (JSA) to ensure application security controls are implemented in the Management Information System (MIS) portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

We recommend that the Manager, TJSO, direct JSA to update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.

We recommend that the Manager, TJSO, direct JSA to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.

We recommend that the Manager, TJSO, direct JSA to enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.

Update the vulnerability remediation process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Update and implement existing configuration management procedures for all servers and services on the production network to enforce changing default credentials before the server is connected to the network.

Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.

Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.

Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.

Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.

We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied, as intended.

We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are validated as unfixable, required for the mission, and mitigated to an acceptable risk with Authorizing Official concurrence.

We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:15A. Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.

We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:B. Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Ensure application security controls are implemented in the NARAC application to protect against known types of attacks. (21-LLNL-PT-01, Rec 1)

Update existing web application security risk assessment and testing processes for the National Atmospheric Release Advisory Center application and remediate known web application vulnerabilities. (21-LLNL-PT-01)