The Department of Commerce has failed to address known deficiencies in its internal assessments of IT systems and struggled to implement effective continuous monitoring of cybersecurity threats, according to an audit.
A report from the Commerce Office of the Inspector General this week found that the internal assessments the department relies on to identify gaps in security and ensure its IT systems are safe from malicious hackers is badly in need of reform. Specifically, nearly half of the department’s 256 IT systems do not have plans or alternative processes in place that outline how these systems should be effectively measured for security, despite a requirement to do so.
“After taking into consideration nonstandardized processes, we found planning efforts for an estimated 118 systems (46 percent) still did not meet Department-prescribed requirements. More notably, adequate testing methods — which provide assessors with tailored guidance on how to assess a system — were not established during planning for an estimated 138 FY 2020 assessments (54 percent),” auditors noted.
In lieu of those plans, many of the measures used to evaluate IT systems security were developed on an “ad hoc” basis, with some offices relying on more general guidance and security controls from the National Institute for Standards and Technology, while at least one bureau told auditors it “preferred to plan as it goes, rather than at the beginning of its assessment.”
Going off standard NIST guidance to assess the security of their software systems is insufficient because Commerce has a number of additional controls and other custom changes that are tailored to its specific IT environment. Those custom changes were absent from the vast majority (83%) of system plans drawn up by the department.
Further, officials failed to consistently measure 115 systems for core minimum security requirements over the past three years, while one out of every five systems went more than a year without being audited, including systems at the National Oceanic and Atmospheric Administration, the Bureau of Industry and Security, the United States Patent and Trademark Office, the International Trade Administration and the Office of the Secretary.
Among the recommendations made by auditors in the report is the call to “hold IT security staff accountable for the quality and execution of such assessments.”
Compounding these problems, an evaluation of the master oversight tool that Commerce relies on to provide visibility of IT risk across all of its systems was full of “inaccurate and missing attributes” and many staffers reported that a lack of customization, automation and training around the tool made them reluctant to use it.
Additionally, federal departments and agencies are required by the Cybersecurity and Infrastructure Security Agency at DHS to identify “high value assets” or critical IT systems that require extra protection or enhanced security protocols. Here again, the tool contains inaccurate or conflicting information.
“Over half of the systems [evaluated] were missing data fields such as Business Identifiable Information, Cloud System Status, and [High Value Asset] status,” the auditors wrote. “More concerning, two of the systems with blank HVA status were tracked as HVAs by other Department sources. As stated…HVA status is particularly important because these systems are mission critical and carry additional security and compliance requirements.”
The findings are part of a concerning pattern at Commerce: previous audits have found little movement or further maturity in the department’s IT security operations since 2017. Among the recommended actions by the Inspector General Office are to update the department’s enterprise-wide risk management tool, establish working groups to track and monitor assessment processes across departmental bureaus, and develop training material to better guide bureaus in implementing required policies and procedures.
In a response attached to the report, Commerce CIO André Mendes said the department “generally concurs” with the report’s findings and recommendations and has plans in place to address most or all of them by the end of 2022.