The inspector general of the Department of the Interior found Wednesday that the Continuous Diagnostics and Mitigation Program did not adequately protect the data belonging to 24 IT systems within the agency.
The management practices didn’t detect high-risk vulnerabilities that could’ve left exposed personally identifiable data for years within the Bureau of Indian Affairs and the Bureau of Indian Education. The bureaus were also unable to prevent or detect malware on their systems.
This occurred because the bureaus didn’t:
- Install the DOI’s software on all of its computers.
- Remove unauthorized applications from the computers.
- Address vulnerabilities quickly.
- Monitor their IT contractors.
- Continuously configure their computers.
- Meet planning and testing requirements.
The IG office said that the systems remain vulnerable and could adversely affect the DOI’s operations until these factors are fixed.
The IG found 20,135 vulnerabilities on the DOI’s systems, including 3,972 with available software patches. Some of the vulnerabilities date back to 2009.
The IG said that the DOI needs to establish an ongoing process to take inventory of its systems, install IBM Big Fix on all computers, remove any unauthorized applications from the computers, mitigate any high-risk vulnerabilities within 30 days of the detection, review contracts with IT vendors to ensure security requirements are met, and monitor system configuration settings.
Also, the DOI must “establish an independent verification and validation function to ensure that all Federal and Department IT security requirements are met and its data centers and the information systems they house are adequately secured,” the IG report stated.
