GSA agrees to speed up system patches
GSA failed to comply with its own patching guidelines in three of the four systems examined, IG finds.
General Services Administration officials intend to increase the speed with which they patch their computer networks, after a recent inspector general audit found the agency moving too slowly.
A GSA spokesman said Oct. 4 GSA has a robust vulnerability scanning and patch management program. It scans more than 2,000 servers and more than 10,000 workstations and then patches them “in a very timely manner.” But officials know they must move faster to check and patch agency IT systems.
“GSA will further work with system owners to lower the patching cycle times as much as possible and ensure the databases are not at risk to exploitation,” said the spokesman, Dan Cruz.
To prevent abuse, system officials must ensure they capture all relevant fixes to their system and software when it is released. They also must test for adverse effects and implement the fixes, if all goes well. GSA requires officials to address all high-risk vulnerabilities within 30 days.
But, in a report dated Sept. 28, IG auditors found the agency did not complete the work in time on two of the four systems they audited. The offices that managed those systems allowed officials at least two months to resolve weaknesses. In addition, GSA had not completed adequate scans of a third system, resulting in multiple database patching problems dating back to 2009.
Cruz agreed there are challenges in patching a few databases in 30 days. Database applications need to be thoroughly tested before they can be put into production to prevent it from breaking, he said.
“In these cases, we use a risk-based approach and a defense in depth security strategy to ensure that the databases are not exposed to the Internet, therefore lowering the risk,” he said.
Auditors were reviewing the agency IT security programs and controls as the Federal Information Security Management Act requires IGs to do annually. In the evaluation, auditors also found GSA’s Public Building Service lacks procedures to ensure that system officials can recover data and restore the system in case of a contingency. Further, the CIO lacks guidance for securely developing mobile applications to minimize mobile threats. GSA has five custom apps available for the public to use. But the CIO does not outline the required controls and assessments that system security officials should perform to ensure the apps are secure. Instead, the CIO’s office told auditors it expects to be notified when another office creates a new app.
Auditors recommended the CIO work with PBS to develop a process for testing whether systems can be restored, before the systems are deployed. They also want guidance for officials to securely develop mobile apps.
Cruz said PBS and the CIO will work together to implement the new requirements this fiscal year. He added that all of GSA’s systems and apps adhere to National Institute of Standards and Technology’s processes for assessment and authorization before being put into production. But this year, the CIO issue guidance and direction, as recommended.