The Interior Department’s Investigator General (IG) found about 90,000 critical and high-risk vulnerabilities on the 3,684 devices that were tested.
The IG said Monday that the DOI’s Continuous Diagnostics and Mitigation (CDM) program is immature and not effective at protecting the agency’s IT assets, and the ability of the agency to detect unauthorized computers and malware is inadequate.
The IG found that this occurred because the Office of the Chief Information Officer (OCIO) didn’t require bureaus to follow best practices for vulnerability detection, install DOI’s inventory management software on all computers, establish approved software lists to protect against malware, or monitor computers to make sure they remained securely configured.
“Until DOI improves its CDM practices, high-value IT assets will remain at high risk of compromise, the results of which could have a severe or catastrophic effect on departmental operations and cause the loss of sensitive data,” the IG report stated.
The IG recommended that the DOI create an ongoing process to ensure its systems inventory is updated and use IBM BigFix as a hardware inventory solution. The IG also recommended following software management controls that maintain accurate inventory, report unauthorized devices, include procedures for removal of unauthorized products, and help to discontinue unsupported products.
The DOI should also incorporate monitoring and reporting of all devices, consistent remediation techniques, elevated credential usage for testing, bureau accountability for patch deployment, and quarantining critically vulnerable systems that aren’t patched in a specified amount of time.
The IG said that the DOI should mandate a departmentwide configuration baseline for computers and monitor computer operating system configuration.