Fire Island National Seashore is one of thousands of sites managed by the Department of the Interior.
Fire Island National Seashore is one of thousands of sites managed by the Department of the Interior.

The U.S. Department of the Interior Office of the Chief Information Officer (OCIO) essentially received a failing grade from its own Office of the Inspector General (IG) when it comes to following NIST for incident detection and response.

In a 54-page report, the IG rolled out a laundry list of NIST standards the OCIO has not met leaving the department unprepared to respond to cyber incidents, unable to promptly detect and fully analyze security incidents, contain and completely eradicate active cyberthreats and has not shown the ability to learn from previous cyberattacks.

“We found that the OCIO had not fully implemented the capabilities recommended by NIST in its incident detection and response program. The OCIO did not establish the foundation necessary for a mature incident response program—it did not determine objectives, define responsibilities, or manage the incident response program from an enterprise level,” the IG said in the report.

The report contains 23 recommendations by the IG's office improve its incident response program so the OCIO can detect and promptly rectify any future cyber issue.

Defending the Department of the Interior for cybersecurity threats is no simple task. The agency, which protects and manages the nation's natural and cultural heritage, has under its control a wealth of information that is sought after by foreign nationals and cybercriminals so it is a regular target for malicious actors. Adding to this burden is the expanse of its computer network, which houses the data and connects 2,400 separate facilities around the country.

The report pointed to one incident that took place in October 2014 when an attacker moved through the Office of Personnel Management network and into the Interior Department through a trusted connection. From there the attackers entered a human resources data base. The attack was not discovered until April 2015.

One of the reasons the OCIO could not promptly respond to a problem is it does not have its various bureaus on the same page so each responds in a different manner to a threat. Which goes directly against established NIST practices.

“During our review, we did not find the NIST-defined elements for incident response in the Department's IT security policies. We found that the OCIO did not have a fully developed incident response program because it had not established and communicated clear program roles and responsibilities to the bureaus. As a result, bureau incident response capabilities varied widely, which often resulted in active cyber threats not being fully analyzed and contained,” the report stated.

One of the primary flaws the IG found within the Interior Department was a lack of any type of response plan until August 2017 and the document it had been using previously was out of date and did not meet NIST standards.

“Without a department-level incident response plan, the OCIO cannot ensure that bureaus and offices are properly prepared to respond to incidents in accordance with OCIO's expectations,” the report said.

This lack of department-level leadership led the Interior Department's to develop separate plans of varying capability.

The IG report did not it will take many years and a large investment to bring the Interior Department up to standard, but if followed the OCIO will be able to promptly detect and fully contain cyberthreats, maintain the availability, confidentiality, and integrity of bureau computer systems and data.

The IG's top six recommendations were:

1.       Create comprehensive policy, as described by NIST guidance, for the incident response security program that prescribes:

  • Organizational priorities
  • Roles, responsibilities, and levels of authority
  • Performance measures
  • Reporting requirements

2.       Replace or redesign the official incident tracking system, as described by NIST guidance, to include:

  • All required metrics
  • All phases of the incident response lifecycle
  • Security controls applicable to all stored data types

3.       Develop processes for periodically performing lessons-learned activities and implement program improvements where warranted.

4.       Configure all DLP systems to block the transfer of sensitive information.

5.       Require all security incidents be tracked in a single enterprise system that allows department-wide incident correlation.

6. Accelerate plans to implement a Security Incident and Event Manager (SIEM) that can analyze and correlate events across multiple, disparate systems that incorporates data feeds from all security tools and infrastructure systems, to include those managed by the bureaus or third-party contractors.

The full list is available in the report.