The Interior Department's use of out-of-date logical access control protocols makes the agency vulnerable to insider threats, a new cyber audit showed.
Interior's Office of the Inspector General found the department's cyber protections are also lagging in two other areas: It needs to do more protect the information on employees' mobile devices, and it doesn't currently have a way to monitor encrypted traffic for malware, the report said.
Under the 2015 Cybersecurity Act, OIG was required to inspect federal IT across departments by mid-August.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The department needs to update its logical access control — the process by which users can access or be denied access to data — to meet current standards set by the National Institute of Standards and Technology, OIG found. Eight of nine systems the watchdog examined, two of which were operated by contractors, didn't meet NIST's current requirement. If Interior updates the controls by Dec. 31, it will be about two and a half years late, the report said.
NIST’s minimum controls included “restricting privileged accounts to specific personnel so that general users do not have access to privileged functions," and auditing the functions in privileged accounts to reduce the risk from insider threats. As of March, Interior reported having 71,290 general users and 4,728 privileged computer users.
Interior also didn't have a process to ensure it was implementing full-disk encryption on mobile devices, including smartphones and tablets, the report said. A June 2016 audit also found thousands of Interior's employee devices didn’t have the right security configurations, meaning cyber criminals could potentially access government data.
Despite these lags, Interior had beefed up its cyber protection by implementing multifactor authentication and also has written up a guide to the CIO's Software Asset Management policy to manage compliance with licenses, copyrights and configurations. The department is on track to finalize a guide to that policy by September, the office of the CIO said.
And while Interior can't currently analyze encrypted traffic for malicious content, the department plans to install a "decryption device" that could do just that, OIG found in its most recent examination. About 40 percent of the department's network traffic is encrypted.