The Continuous Diagnostics and Mitigation program at a core data center is immature and not fully effective in protecting information technology systems from potential exploitation. One bureau did not effectively oversee the contractor responsible for implementing the Department’s IT security program to ensure that vulnerabilities on a high-value IT asset were discovered and timely mitigated.
The bureaus’ management practices left thousands of critical and high-risk vulnerabilities unmitigated for years on other systems. Bureau computers are running vulnerable, unsupported software because the U.S. Department of the Interior (DOI) has not established and enforced approved software lists. We also found that the data center’s contingency planning practices contributed to a hardware failures that temporarily affected the availability of other bureau and departmental systems.
These deficiencies occurred because the bureaus failed to install DOI’s inventory management software on all computers, identify and remove unauthorized and unsupported products from its systems, mitigate vulnerabilities in a timely manner, monitor its contractors to ensure all IT security requirements were met, monitor computers to ensure they remained securely configured, and meet annual contingency planning and plan testing requirements. Further, in our judgement, these deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide the necessary oversight to ensure that bureaus and their contractors met Federal and Department IT security requirements. We made seven recommendations to the bureaus and one recommendation to OCIO to help ensure that DOI data centers and the systems they house are adequately secured.