Cyber Troubles at the Department of Commerce

Last month, Commerce’s Inspector General (IG) issued a report evaluating the department’s capabilities in protecting its systems and data from threats. Unfortunately, Commerce did not receive rave reviews from its IG, and coupled with the mundane “C” it received on the latest FITARA scorecard, it looks like the department has its cyber work cut out for it.

The IG report largely found that Commerce’s subpar IT security program is due to a lack of defined and implemented IT security practices and procedures, “…the overall maturity of the Department’s IT security program had not progressed since 2017,” according to the report.

Among the IG’s findings, Commerce did not effectively plan for system assessments, nor consistently execute reliable system assessments.  Security Assessment Plans (SAPs), the report describes, are necessary in maintaining the enterprise security program and identifying gaps in Risk Management Framework (RMF) processes. At Commerce, the IG found that SAPs for 118 out of 256 systems (46%) were inadequately planned according to department requirements, with many systems lacking tailored guidance on how to assess a system. Moreover, department requirements for Security System Plans (SSPs), which relay critical information to assessors, were missing from 212 of the 256 systems (83%).

Additionally, the report found that the department did not consistently conduct assessments for 44% of the systems over the past three years, and that even an estimated 20% of systems went a year or more without an independent assessment. More concerning is that 2 of the systems within that 20% were labeled High Value Asset (HVA), and critical to Commerce’s mission.

Once assessments identify a weakness in a system, a Plan of Action & Milestone (POA&M) is developed and housed in a centralized Cyber Security Asset and Management (CSAM) tool. Accordingly, the Commerce watchdog found that the department did not resolve these identified system deficiencies within defined completion dates. In fact, Commerce missed completion milestones for 500 out of 584 active POA&Ms that the IG reviewed, with the Census Bureau and USPTO representing most of the overdue POA&Ms. Reasons for delays by department heads include, “…technical implementation delays, personnel shortages, contractual issues, insufficient funding, priority changes, policy delays, and underestimating the original completion date, among other things,” according to the report.

The IG also found that the Department’s CSAM tool did not present accurate and complete assessment and POA&M data. The CSAM is used to provide visibility of enterprise IT risk as well as facilitate the RMF process. The IG found that over half the systems in the CSAM tool were missing data fields including Business Identifiable Information, Cloud System Status and HVA status. Also identified was a lack of POA&Ms entries into the CSAM, with some bureaus citing duplication of work to internally tracked system risk data. However, the lack of visibility and function of the CSAM is unreliable in the enterprise’s ability for information security oversight.

The report outlines 8 recommendations in response to these findings:

1. Implement tracking and reporting verifying that (1) assessment planning procedures are documented prior to the execution of an assessment and (2) system security documentation is accurate.
2. Hold IT security staff accountable for the quality and effective execution of preassessment and assessment processes.
3. Verify that assessment supporting documentation is maintained and sufficiently supports assessment results to facilitate oversight.
4. Determine why POA&M dates are not achievable.
5. Using the analysis from Recommendation 4, provide guidance for how to better plan, prioritize, and resolve POA&Ms within their established milestones.
6. Hold individuals accountable for not resolving issues within established milestones.
7. Work with Department bureaus to automate and customize CSAM data entry to ensure CSAM accurately reflects bureau data.
8. Provide additional CSAM usability training.

Commerce generally agreed with the IG’s findings and recommendations. Though a defined, enterprise plan of action was not included in the report, we know that the department requested a $422M cyber buget for FY 2022, which includes an additional $107M requested by the CIO in cyber upgrades such as increased logging functions and enhanced monitoring tools.

For more insight into Commerce’s cyber portfolio and the overall federal cybersecurity marketplace, refer to Deltek’s Federal Information Security Market, 2021 – 2023 report.