GSA agrees to speed up system patches

General Services Administration officials intend to increase the speed with which they patch their computer networks, after a recent inspector general audit found the agency moving too slowly.

A GSA spokesman said Oct. 4 GSA has a robust vulnerability scanning and patch management program. It scans more than 2,000 servers and more than 10,000 workstations and then patches them “in a very timely manner.” But officials know they must move faster to check and patch agency IT systems.

“GSA will further work with system owners to lower the patching cycle times as much as possible and ensure the databases are not at risk to exploitation,” said the spokesman, Dan Cruz.

To prevent abuse, system officials must ensure they capture all relevant fixes to their system and software when it is released. They also must test for adverse effects and implement the fixes, if all goes well. GSA requires officials to address all high-risk vulnerabilities within 30 days.

But, in a report dated Sept. 28, IG auditors found the agency did not complete the work in time on two of the four systems they audited. The offices that managed those systems allowed officials at least two months to resolve weaknesses. In addition, GSA had not completed adequate scans of a third system, resulting in multiple database patching problems dating back to 2009.

Cruz agreed there are challenges in patching a few databases in 30 days. Database applications need to be thoroughly tested before they can be put into production to prevent it from breaking, he said.

“In these cases, we use a risk-based approach and a defense in depth security strategy to ensure that the databases are not exposed to the Internet, therefore lowering the risk,” he said.

Auditors were reviewing the agency IT security programs and controls as the Federal Information Security Management Act requires IGs to do annually. In the evaluation, auditors also found GSA’s Public Building Service lacks procedures to ensure that system officials can recover data and restore the system in case of a contingency. Further, the CIO lacks guidance for securely developing mobile applications to minimize mobile threats. GSA has five custom apps available for the public to use. But the CIO does not outline the required controls and assessments that system security officials should perform to ensure the apps are secure. Instead, the CIO’s office told auditors it expects to be notified when another office creates a new app.

Auditors recommended the CIO work with PBS to develop a process for testing whether systems can be restored, before the systems are deployed. They also want guidance for officials to securely develop mobile apps.

Cruz said PBS and the CIO will work together to implement the new requirements this fiscal year. He added that all of GSA’s systems and apps adhere to National Institute of Standards and Technology’s processes for assessment and authorization before being put into production. But this year, the CIO issue guidance and direction, as recommended.

 


 
 

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Tue, Oct 9, 2012 OccupyIT

But GSA is the ultimate in IT services! Say it isn't so before I send all my cloud work over to the monopoly... And I thought I could trust their massive marketing campaign and conference presentations...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group