Mid October 2015, the Department of Commerce’s Inspector General (IG) released findings about the Bureau of Industry and Security’s (BIS) risk management and cyber hygiene. The report, “Lack of Basic Security Practices Hindered BIS’ Continuous Monitoring Program and Placed Critical Systems at Risk,” provides findings from an audit conducted to assess the strategy and implementation of information security technologies. In addition to evaluating BIS’s approach, the review intended to consider whether the organization’s leadership was being equipped with sufficient information to improve security-oriented decision making.
There was good news and bad news. The good: The documented strategy for continuous monitoring was compliant with departmental policy and NIST guidance. The bad: The execution of that strategy, however, was found to be problematic. BIS neglected fundamental security practices and, as a result, placed high-impact systems at risk. In particular, IG determined that vulnerability scanning practices were deficient and there were no assurances that issues were being remediated.
In its findings, the IG offered five recommendations to address the shortfalls. First, BIS needs an accurate, current inventory of the hardware and software that comprise its information ecosystem. Second, the vulnerability scanning procedure should complete a credential enabled assessment of the entire BIS inventory regularly. Prompt review of the scan reports is another area that needs improvement. Third, processes and responsibility for addressing any vulnerabilities within BIS systems should be documented. The last two recommendations focused on Plan of Actions and Milestones (POA&M). The fourth recommendation directed BIS to prepare POA&Ms for any un-remediated security weaknesses. The fifth and final step outlined for BIS was to address the need for more management oversight of the POA&M process. In particular, measures should be taken to establish accountability and confirm that all of the associated pieces are included in the POA&Ms.
The report noted that BIS concurred with all of the recommendations, which seems fitting. An article in FCW noted the organization’s security functions, particularly those related to technology exports. Since underlying habits and culture are often cited as the foundation for sound security, it’s understandable to assume that a group with security-focused mission might have a sort of advantage over others that aren’t geared to consider risks as part of their function. With no end in sight to the stream of attacks on government system, it seems that few agencies (if any) don’t have key areas to improve. To be sure, this audit is not the first to note problems with fundamental aspects of government security. As organizations look to adopt new capabilities and solutions like continuous monitoring and security analytics, there are likely to be numerous reminders that the utility of a tool relies on the hand wielding it.