The Energy Department has made progress shoring up vulnerabilities previously identified by its inspector general in unclassified IT systems, but significant flaws persist, according to an audit released last week.
The IG audit states DOE remediated 10 of 12 prior year deficiencies across its infrastructure, which includes the National Nuclear Security Administration, and improved how it reports contractor system security information to the Office of Management and Budget and the Homeland Security Department.
However, “issues related to vulnerability management, system integrity of web applications, access controls and segregation of duties, and configuration management, continue to exist.” The audit goes on to list several issues that call into question DOE’s vulnerability management program.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
In one example, workstations at two DOE locations were missing current security patches for known vulnerabilities despite patches being released 30 days prior to testing. In other cases, workstations were no longer supported by the vendor.
Deficiencies also plagued the department’s web apps across various business divisions.
“Our testing identified that applications used to support human resources, financial and business activities accepted malicious input that could have been used to launch attacks against application users,” the audit states. The audit also highlighted instances where user authentication information “in an unsecure manner.”
DOE also needs to update the directive from which it updates its cybersecurity policies. The audit states DOE continues to “reference outdated guidance” from the National Institute of Standards and Technology rather than its Special Publication 800-53, Revision 4.
The audit concludes with a series of recommendations to DOE and NNSA: correct weaknesses previously identified, fully develop plans of action and milestones to improve performance monitoring for all identified cyber weaknesses, and update and implement program-level cybersecurity policies and procedures across NNSA.
DOE’s leadership team agreed with each of the recommendations, with deliverables expected early to mid-2017.