The U.S. Department of the Interior’s Cyber Risk Management Practices Leave Its Systems at Increased Risk of Compromise

View Report

Date Issued

Tuesday, February 28, 2023

Submitting OIG

Department of the Interior OIG

Other Participating OIGs

Department of the Interior OIG

Agencies Reviewed/Investigated

Department of the Interior

Components

Office of the Chief Information Officer

Report Number

2020ITA030

Report Description

DOI systems were operating without authorization, and the DOI did not consistently analyze and monitor security weaknesses.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2020-ITA-030-01	Yes	$0	$0
We recommend that the OCIO develop and implement a process to evaluate all systems' Authorizations to Operate annually for accuracy and completeness to ensure systems are operating with a valid authorization determined by actual residual risk.
2020-ITA-030-02	Yes	$0	$0
We recommend that the OCIO develop and implement a process to conduct quality control reviews at least annually to ensure that all systems within the official system of record (Cyber Security Assessment and Management system) have an accurate operating status.
2020-ITA-030-04	No	$0	$0
We recommend that the OCIO, in addition to ongoing continuous monitoring, develop and implement a policy to direct system owners to test all of the controls for their systems at least every 3 years.
2020-ITA-030-06	No	$0	$0
We recommend that the OCIO develop and implement a policy to verify that bureaus and offices perform control assessments every 3 years.
2020-ITA-030-07	No	$0	$0
We recommend that the OCIO develop and implement a review process that includes, at minimum, verifying that system owners have completed required testing for a sample of controls for each system before accepting the annual assurance statement.
2020-ITA-030-08	No	$0	$0
We recommend that the OCIO develop and implement a comprehensive quality control plan to perform required quarterly reviews of Plans of Action and Milestones in the official system of record to ensure that bureaus and offices address them in a timely manner, close them as appropriate, and continuously monitor and track them.