The Interior Department’s office of inspector general has found lapses in DOI’s Continuous Diagnostics and Mitigation program when it comes to safeguarding high-value information technology systems from cyber vulnerabilities.
OIG said in a report published Wednesday its findings are based on the assessment of CDM practices that DOI implements for IT assets operated by the department’s U.S. Geological Survey, Bureau of Reclamation and Bureau of Safety and Environmental Enforcement.
The CDM initiative calls for agencies to implement 15 continuous diagnostic control measures in three phases, according to the report.
Under the program’s Phase 1, agencies should use automated software platforms to facilitate the development and maintenance of computer software and hardware inventories as well as implement enterprise configuration and vulnerability management measures, the IG said.
The report said that DOI failed to mitigate critical network vulnerabilities on the bureaus’ IT assets as well as detect and eliminate potential malware from the IT systems.
The IG also noted that DOI’s office of chief information officer did not require the bureaus to deploy the department’s inventory management software on all computers, monitor computer configurations, create lists of approved software to safeguard systems from malware and comply with best practices for vulnerability mitigation and detection.
The inspector general offered six recommendations in response to the findings and in an effort to help DOI protect its IT infrastructure from potential exploitation.