GSA agrees to speed up system patches

General Services Administration officials intend to increase the speed with which they patch their computer networks, after a recent inspector general audit found the agency moving too slowly.

A GSA spokesman said Oct. 4 GSA has a robust vulnerability scanning and patch management program. It scans more than 2,000 servers and more than 10,000 workstations and then patches them “in a very timely manner.” But officials know they must move faster to check and patch agency IT systems.

“GSA will further work with system owners to lower the patching cycle times as much as possible and ensure the databases are not at risk to exploitation,” said the spokesman, Dan Cruz.

To prevent abuse, system officials must ensure they capture all relevant fixes to their system and software when it is released. They also must test for adverse effects and implement the fixes, if all goes well. GSA requires officials to address all high-risk vulnerabilities within 30 days.

But, in a report dated Sept. 28, IG auditors found the agency did not complete the work in time on two of the four systems they audited. The offices that managed those systems allowed officials at least two months to resolve weaknesses. In addition, GSA had not completed adequate scans of a third system, resulting in multiple database patching problems dating back to 2009.

Cruz agreed there are challenges in patching a few databases in 30 days. Database applications need to be thoroughly tested before they can be put into production to prevent it from breaking, he said.

“In these cases, we use a risk-based approach and a defense in depth security strategy to ensure that the databases are not exposed to the Internet, therefore lowering the risk,” he said.

Auditors were reviewing the agency IT security programs and controls as the Federal Information Security Management Act requires IGs to do annually. In the evaluation, auditors also found GSA’s Public Building Service lacks procedures to ensure that system officials can recover data and restore the system in case of a contingency. Further, the CIO lacks guidance for securely developing mobile applications to minimize mobile threats. GSA has five custom apps available for the public to use. But the CIO does not outline the required controls and assessments that system security officials should perform to ensure the apps are secure. Instead, the CIO’s office told auditors it expects to be notified when another office creates a new app.

Auditors recommended the CIO work with PBS to develop a process for testing whether systems can be restored, before the systems are deployed. They also want guidance for officials to securely develop mobile apps.

Cruz said PBS and the CIO will work together to implement the new requirements this fiscal year. He added that all of GSA’s systems and apps adhere to National Institute of Standards and Technology’s processes for assessment and authorization before being put into production. But this year, the CIO issue guidance and direction, as recommended.

 


 
 

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, Oct 9, 2012 OccupyIT

But GSA is the ultimate in IT services! Say it isn't so before I send all my cloud work over to the monopoly... And I thought I could trust their massive marketing campaign and conference presentations...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group