Date Issued
Report Number
2019-ITA-003
Report Type
Inspection / Evaluation
Component
U.S. Geological Survey
Description
We evaluated the U.S. Department of the Interior’s (DOI’s) and the U.S. Geological Survey’s (USGS’) implementation of Phase 1 of the Continuous Diagnostics and Mitigation (CDM) program for a USGS system.
Our evaluation revealed control deficiencies for hardware and software asset management and configuration management. Specifically, the DOI did not require bureaus and offices to maintain accurate hardware asset inventories for information systems, which prevented them from monitoring key security metrics through the DOI’s CDM dashboard. We also found that the DOI did not implement software blacklists or whitelists to help ensure that unapproved, unsupported, or potentially malicious software was not present on system computing devices. Further, we found that the USGS failed to require systems to operate with only those ports, protocols, and services necessary for essential operations, which increased their vulnerability to attack, and that the USGS did not timely mitigate vulnerabilities on USGS-owned system assets.
Joint Report
No
Agency Wide
No
Questioned Costs
$0
Funds for Better Use
$0
Local File
Oversight Report File