Thousands of critical and high-risk vulnerabilities were identified on two Interior Department bureaus’ IT assets, according to an inspector general report released to the public Friday.
The redacted report offers a bleak picture of information technology for the Bureau of Indian Affairs and Bureau of Indian Education. Testing found the two agencies’ IT assets had more than 20,000 vulnerabilities, and the Continuous Diagnostics and Mitigation program at a core Interior Department data center is not effective at protecting IT systems from “potential exploitation.”
The report’s summary notes that: “One bureau did not effectively oversee the contractor responsible for implementing the Department’s IT security program to ensure that vulnerabilities on a high-value IT asset were discovered and timely mitigated.”
In the public version, the inspector general has redacted the name of the IT asset.
The report also found other problems, including that the data center’s “contingency planning practices contributed to a hardware failures that temporarily affected the availability of other bureau and departmental systems,” according to the report’s summary.
The department’s Office of the Chief Information Officer did not address the report specifically in a response emailed to FedScoop. “Interior takes protecting our assets and systems very seriously and we are working to continually improve our cybersecurity posture,” the statement said.
One of the report’s big takeaways is that the Office of the CIO is not effectively overseeing the bureaus’ and the contractors’ implementation of federal and department IT security requirements.
For example, the department hasn’t established or enforced software lists, a shortcoming that contributed to computers for the two bureaus running vulnerable, unsupported software, the report said.
The inspector general tested a little more than 1,000 of the two bureau’s devices, including “computer servers, workstations, and other network devices, such as firewalls and routers, as discovered.”
And although department policy requires all critical and high-risk vulnerabilities be patched within 30 days of discovery, tests by the inspector general found more than 20,000 vulnerabilities on the two bureaus’ IT assets.
Almost 4,000 of those were unmitigated for years “even though software patches to fix the vulnerabilities were available,” the report says.
Others of the 20,000 were on programs no longer supported by the vendor, so they can only be fixed by removing or upgrading the software.
All in all, the IG issued eight recommendations, and the Office of the Chief Information Officer concurred with them.