Security of the U.S. Department of the Interior’s Publicly Accessible Information Technology Systems

We assessed DOI’s cyber security defense measures and identified potential security weaknesses with the configuration of publicly available information technology systems at three bureaus. Specifically, we found nearly 3,000 critical and high-risk vulnerabilities in hundreds of publicly accessible computers operated by these three bureaus.

 

Our findings fall under two main categories: 1) inadequate understanding or testing of publicly available systems; and 2) missing controls that would protect internal systems in the event that those publicly available systems are compromised. The combination of these two findings can have wide-reaching impacts on the security of DOI’s information systems. These deficiencies occurred because DOI did not effectively monitor its publicly accessible systems to ensure they were free of vulnerabilities or isolate its publicly accessible systems from its internal computer networks to limit the potential adverse effects of a successful cyber attack. 

 

We offered six recommendations to help DOI address our findings. In its response to our draft report, the Office of the Chief Information Officer concurred with all of our recommendations. Based on this response, we consider the recommendations resolved, but not implemented.