In a report on the Department of Commerce’s system security assessment process, the Commerce Inspector General (IG) found that the agency must improve the system and continuous monitoring program for effective security controls.
In the report, the IG was assessing the effectiveness of Commerce’s system security assessment and continuous monitoring program to ensure security gaps were identified and resolved. The audit was focused on potential deficiencies in Commerce’s implementation of the Assess and Monitor steps in the Risk Management Framework, developed by the National Institute of Standards and Technology.
The audit found that Commerce did not do the following:
- It did not effectively plan for system assessments;
- It did not consistently conduct reliable system assessments;
- It did not resolve security control deficiencies within completion dates; and
- It did not have a security system of record that could provide accurate and complete assessment and plan of action and milestone data.
“We previously noted that the overall maturity of the department’s IT security program had not progressed since 2017,” the report said. “We conducted this audit in response to repeated issues surrounding the department’s overarching implementation and maturity of its IT security program.”
The IG made six recommendations to Commerce’s CIO and two recommendations for the Deputy Secretary of Commerce. The Commerce CIO and Deputy Secretary of Commerce concurred with all the recommendations. Among the recommendations to the CIO include:
- Implement tracking and reporting to verify that “assessment planning procedures are documented prior to the execution of an assessment and system security documentation is accurate;”
- Hold IT security staff accountable for executing a quality and effective pre-assessment and assessment processes;
- Verify that assessment supporting documentation is maintained and supports assessment results to facilitate oversight;
- Determine why the plan of action and milestones (POA&M) dates are unachievable;
- Using Recommendation 4’s analysis, provide guidance for how to plan, prioritize, and resolve POA&Ms within their established milestones; and
- Hold individuals accountable for not resolving issues within established milestones.
The recommendations for the Deputy Secretary of Commerce include:
- Working with bureaus within the department to automate and customize cybersecurity asset and management (CSAM) data entry to ensure CSAM accurately reflects bureau data; and
- To provide additional CSAM usability training.