Interior Department Audit Spots Nearly 100,000 Software Vulnerabilities

Poor management and oversight by Interior Department technologists have resulted in tens of thousands of software weaknesses going unfixed, according to an audit released today.

The department’s top technology office doesn’t require agencies to follow approved practices to detect and patch software weaknesses, doesn’t bar agencies from using unapproved software and doesn’t even know how many computers and servers are running on its networks, according to the report from Interior’s inspector general.

The audit focused on three major information technology systems at three Interior agencies: the Bureau of Reclamation, the U.S. Geological Survey and the Bureau of Safety and Environmental Enforcement.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Tests of the three systems revealed almost 100,000 high-risk software vulnerabilities, nearly 6,000 of which had gone unpatched for a year or more.

Only 88 percent of computers and servers at the agencies were connected to inventorying software, auditors found. That’s shy of the 95 percent Interior planned to have plugged into monitoring systems by the close of fiscal 2014, the report said.

When computers aren’t inventoried, the department has no way of knowing if they carry security weaknesses that could be exploited by hackers. They also can’t ensure rogue devices haven’t wormed their way onto the networks, auditors said.

“If only 88 percent of [the Interior Department’s] more than 100,000 IT hardware assets are actively managed, then the security status of more than 10,000 devices is left unknown,” auditors said.

The inspector general recommended beefing up computer inventorying requirements for Interior agencies, enforcing requirements that agencies install inventorying software, and adding new software and management controls.

Interior’s chief information officer agreed with the vast majority of the recommendations.