The Commerce Department has routinely failed to implement crucial security assessment measures and an effective continuous monitoring program, according to a new Inspector General report published this week.
The overall maturity of the Department of Commerce's IT security program hasn't progressed in more than five years, according to a recent oversight report, which identified ad hoc planning and reporting procedures and frequently inaccurate system security plans as ongoing risks for the agency.
The report published last week said the department did not conduct effective planning for system assessments in a majority of cases reviewed by the inspector general's office, with only 122 of 256 systems producing consolidated security assessment plans across all of its bureaus.
Asked why it failed to include required planning steps in its assessment process, one bureau told the inspector general's office "that it preferred to plan as it goes," the report said, while others cited a lack of due diligence by staff and delayed implementation efforts.
"Without an effective process to plan, execute, and monitor system assessments, systems may be compromised due to ineffective security controls," the report said.
While the department implemented initiatives to address previously identified shortcomings, from updating its enterprisewide risk management tool to developing training materials and establishing working groups, the report continued to observe "persistent deficiencies in the implementation of information security policies and processes."
The department's system security plans, which are meant to maintain a majority of security information for federal systems, routinely failed to relay accurate critical security information, the report said. Some mislabeled important fields and featured incorrect control status and inheritance information, while 83% of the 256 systems lacked updated security controls, which the department required all bureaus to implement to supplement standard NIST SP 800 guidance in 2019.
The significant number of inaccuracies within the department's plans "indicates a pervasive problem" with its ability to manage system security documentation "and shows that system staff lack familiarity with their systems and department policy," the IG report stated.
The report included six recommendations for the department and its CIO, including holding IT security staff accountable for meeting assessment requirements, as well as implementing tracking and reporting measures to ensure system security documentation is accurate.
The IG office instructed bureau CIOs to determine why plan of action and milestone data was not achievable, then work to provide guidance on how to move forward with and prioritize certain objectives.
The Commerce Department pushed back against the IG report's description of certain findings, while ultimately concurring with its recommendations. In a response attached to the report, the department said a policy modernization initiative underway will address many of the IG office's findings "once implemented."