Agencies' inspectors general are submitting reports as part of the 2015 Cybersecurity Act.
The Commerce, Energy and Justice departments received generally positive cybersecurity assessments from their respective inspectors general offices.
The Cybersecurity Act of 2015 requires department OIG to submit to Congress reviews of internal cyber practices, including the "logical access" policies under which some users are granted or denied permission to view certain information. Reviews are due by mid-August.
Commerce's logical access policies generally followed appropriate standards and specific operating units told OIG they had such access controls in most systems, the report said. All nine operating units OIG examined have "external monitoring, security operations centers, intrusion detection systems/intrusion prevention systems, and event correlation tools," the report found.
The report also highlighted some lags: Commerce's National Oceanic and Atmospheric Administration and the Office of the Secretary both had outdated logical access control policies. Census and the U.S. Patent and Trademark Office didn't have logical access controls fully implemented; 10 of Census' 12 systems, and one of USPTO's, didn't have logical access fully implemented. Five of Commerce's nine operating units didn't have multifactor authentication for privileged users who can access personally identifiable information.
Commerce concurred with findings.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Justice is "making progress” in requiring personal identity verification cards for its logical access system, the OIG found, though "significant work” still needs to be done. About 60 percent of privileged and 58 percent of unprivileged users have multifactor PIV-based authentication, though DOJ has written up a "corrective action plan" to meet the 100 percent requirement from the Office of Management and Budget.
DOJ has implemented Secure Socket Layer and monitoring user activity for forensic purposes, the report said. KPMG, contracting with DOJ's OIG for the audit, confirmed that those tools were operational, but "more coordination" is required across DOJ to fully deploy the technology. DOJ concurred with the findings, the report found.
The Energy Department "generally developed and implemented" cybersecurity measures, especially related to logical access management—that includes account management, remote access and unsuccessful login attempts, that review found. But it had a decentralized program through which it manages software licenses, and doesn't have a policy governing that program, the report found.
Still, the review found the Energy Department had an "overall lack of policies and procedures" for software license inventories, and while there were "mixed capabilities existed related to forensic and data exfiltration capabilities," there were "limited to no capabilities" for governing how media can be distributed.