IG: Interior risks exposing sensitive data

Deficient IT security controls at a core data center put the Department of Interior at risk of exposing sensitive and personally identifiable information, according to an inspector general report released Feb. 17.

The report zeroed in on the implementation of continuous diagnostics and mitigation tools, a set of software that is supposed to help monitor network security and keep current with security fixes. The CDM program, operated by the Department of Homeland Security, helps agencies acquire and onboard commercial cybersecurity tools.

The CDM implementation at Interior, the IG found, is "immature and not fully effective in protecting the 24 information technology systems … from potential exploitation."  Additionally, the report found that the CIO does not provide sufficient oversight of the agency’s IT security program.

The report redacted the name and location of the data center, but noted that it houses 24 IT systems operated by Bureaus of Indian Affairs and Indian Education, as well as systems from other agencies.

The report stated that BIA's inadequate oversight practices left 20,135 unmitigated critical and high-risk vulnerabilities on BIA and BIE's high-value IT assets, including 3,972 for which software patches were available. Hundreds of the vulnerabilities were found on software programs no longer supported by their original vendor. Auditors also found that BIA does not have a complete inventory of the devices on its network.

Additionally, the IG reported that DOI had deficient contingency plans to ensure continuous business operations. The inadequate plans resulted in computer hardware failures and a disruption to the department's operations during a power outage in March 2016.

The IG also found a problem with device management at BIA, with 22 of 185 devices reviewed not included in the agency's inventory because the bureau had not installed the proper software on all its devices. As a result, the bureau could not adequately identify unauthorized devices on its network, and some BIA and BIE devices may not be included in vulnerability scans and may contain unmitigated vulnerabilities.

Additionally, the IG found unsecured computer servers and stated that BIA did not adequately monitor its computer systems to ensure their security.

Interior CIO Sylvia Burns and Lawrence S. Roberts, the principal deputy assistant secretary for Indian Affairs, noted that the CDM program was still coming online at Interior and was dependent on the schedule of DHS and its contractors. The reply also indicated that BIA had reviewed existing IT contracts and developed guidance as to what security functions to include in future IT services contracts. Overall, Interior and BIA told auditors it was developing practices to secure its operating systems and set a June 30, 2018, deadline for departmentwide implementation.