We assessed the effectiveness of DOI’s Continuous Diagnostics and Mitigation (CDM) program for three high-value information technology (IT) assets operated by three bureaus. We found that DOI’s CDM program is immature and not fully effective in protecting high-value IT assets from exploitation. DOI’s management practices failed to detect critical and high-risk vulnerabilities on one of its high-value IT assets and left thousands of critical and high-risk vulnerabilities unmitigated for years on three of its high-value assets.
We made six recommendations to protect DOI’s high-value IT assets from loss or disruption by strengthening DOI’s CDM practices. OCIO concurred with five of our recommendations and partially concurred with one recommendation.
The final report was revised on October 19, 2016, to include a new response from the Department.