Weaknesses in a USGS System Leave Assets at Increased Risk of Attack

We evaluated the U.S. Department of the Interior’s (DOI’s) and the U.S. Geological Survey’s (USGS’) implementation of Phase 1 of the Continuous Diagnostics and Mitigation (CDM) program for a USGS system. Our evaluation revealed control deficiencies for hardware and software asset management and configuration management. Specifically, the DOI did not require bureaus and offices to maintain accurate hardware asset inventories for information systems, which prevented them from monitoring key security metrics through the DOI’s CDM dashboard. We also found that the DOI did not implement software blacklists or whitelists to help ensure that unapproved, unsupported, or potentially malicious software was not present on system computing devices. Further, we found that the USGS failed to require systems to operate with only those ports, protocols, and services necessary for essential operations, which increased their vulnerability to attack, and that the USGS did not timely mitigate vulnerabilities on USGS-owned system assets.