GSA agrees to speed up system patches

General Services Administration officials intend to increase the speed with which they patch their computer networks, after a recent inspector general audit found the agency moving too slowly.

A GSA spokesman said Oct. 4 GSA has a robust vulnerability scanning and patch management program. It scans more than 2,000 servers and more than 10,000 workstations and then patches them “in a very timely manner.” But officials know they must move faster to check and patch agency IT systems.

“GSA will further work with system owners to lower the patching cycle times as much as possible and ensure the databases are not at risk to exploitation,” said the spokesman, Dan Cruz.

To prevent abuse, system officials must ensure they capture all relevant fixes to their system and software when it is released. They also must test for adverse effects and implement the fixes, if all goes well. GSA requires officials to address all high-risk vulnerabilities within 30 days.

But, in a report dated Sept. 28, IG auditors found the agency did not complete the work in time on two of the four systems they audited. The offices that managed those systems allowed officials at least two months to resolve weaknesses. In addition, GSA had not completed adequate scans of a third system, resulting in multiple database patching problems dating back to 2009.

Cruz agreed there are challenges in patching a few databases in 30 days. Database applications need to be thoroughly tested before they can be put into production to prevent it from breaking, he said.

“In these cases, we use a risk-based approach and a defense in depth security strategy to ensure that the databases are not exposed to the Internet, therefore lowering the risk,” he said.

Auditors were reviewing the agency IT security programs and controls as the Federal Information Security Management Act requires IGs to do annually. In the evaluation, auditors also found GSA’s Public Building Service lacks procedures to ensure that system officials can recover data and restore the system in case of a contingency. Further, the CIO lacks guidance for securely developing mobile applications to minimize mobile threats. GSA has five custom apps available for the public to use. But the CIO does not outline the required controls and assessments that system security officials should perform to ensure the apps are secure. Instead, the CIO’s office told auditors it expects to be notified when another office creates a new app.

Auditors recommended the CIO work with PBS to develop a process for testing whether systems can be restored, before the systems are deployed. They also want guidance for officials to securely develop mobile apps.

Cruz said PBS and the CIO will work together to implement the new requirements this fiscal year. He added that all of GSA’s systems and apps adhere to National Institute of Standards and Technology’s processes for assessment and authorization before being put into production. But this year, the CIO issue guidance and direction, as recommended.

 


 
 

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Ellen Lord - Textron DOD ATL USD

    Lord tapped to lead DOD acquisition

    The Trump administration has nominated Ellen Lord, president and CEO of defense contractor Textron Systems, to serve as undersecretary for Acquisition, Technology and Logistics.

  • Soraya Correa, DHS Chief Procurement Officer

    Confronting the culture of fear in government

    Steve Kelman gives kudos to DHS' Soraya Correa for facing the FLASH cancellation head-on.

  • DHS: Russia tried to hack voting systems in 21 states

    DHS officials confirmed for the first time that Russian hackers tried to penetrate voting systems in 21 different states in the run-up to the 2016 election, but said the hacking did not affect election results.

  • VA Secretary Dr. David Shulkin speaking at a June 20, 2017 Monitor Breakfast. Photo credit: Michael Bonfigli/The Christian Science Monitor

    VA expects to add an integrator to health record mix

    After coming to terms with Cerner on a price for its electronic health record system, VA expects to pivot to finding an integrator to handle legacy interoperability and change management.

  • Soraya Correa, DHS Chief Procurement Officer

    DHS execs own FLASH fail

    The department's failure to launch an agile services contract can serve as a teachable moment, according to DHS procurement officials.

  • Is it time to rethink the TIC?

    Current restrictions on internet gateways complicate agencies' move to the cloud, so the Office of Management and Budget is exploring new security architectures.

Reader comments

Tue, Oct 9, 2012 OccupyIT

But GSA is the ultimate in IT services! Say it isn't so before I send all my cloud work over to the monopoly... And I thought I could trust their massive marketing campaign and conference presentations...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group