We found weaknesses in DOI’s cyber risk management and governance could cause mission disruptions, compromised data, and misuse of public funds.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
2022-ITA-025-01 | Yes | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer extend the capability of its data loss prevention solution to include rule-based analysis to detect and prevent the exfiltration of sensitive data from the subject system in accordance with industry best practices. | |||||
2022-ITA-025-02 | Yes | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer regularly test the Department's data loss prevention capability to ensure that sensitive data in the subject system is protected against data exfiltration attempts. | |||||
2022-ITA-025-03 | No | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer evaluate data communication protocols in use by the subject system that are vulnerable to exploitation and implement controls to mitigate identified vulnerabilities. | |||||
2022-ITA-025-04 | Yes | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer ensure the implementation and annual testing of contractually required data loss prevention controls on all cloud systems containing sensitive data. | |||||
2022-ITA-025-08 | Yes | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer establish controls to ensure that only FedRAMP-approved cloud-computing services are authorized to access the Department's network and that non?FedRAMP?approved cloud-computing services in use are discontinued and blocked from access to Department network resources in accordance with the Department's acceptable use policy. | |||||
2022-ITA-025-10 | No | $0 | $0 | ||
We recommend that the Office of the Chief Information Officer ensure all existing non-Foundation Cloud Hosting Services contracts are migrated to an approved enterprisewide cloud-hosting procurement or modified to incorporate OCIO requirements and best practices for procuring cloud services, as recommended by the Chief Acquisition Officer and Chief Information Officer Councils and OCIO policy. |