An OIG report suggests the Bureau of Indian Affairs' cyber program wasn't enough to protect 24 systems internally.
An Interior Department agency's cybersecurity protection may have left "thousands of critical and high-risk vulnerabilities" unaddressed for years, a watchdog report shows.
The Bureau of Indian Affairs didn't ensure contractors managing a data center were implementing the Interior Department's IT security program, which may have ensured those vulnerabilities were detected, according to Interior's Office of the Inspector General.
Part of the problem was that BIA's Continuous Diagnostics and Mitigation program did not adequately protect 24 systems within BIA, as well as others within the Bureau of Indian Education. Bureaus "either failed" to install all parts of CDM's first phase controls, which monitors hardware assets, or "implemented the control incompletely or ineffectively."
In one case, a power outage resulted in hardware and software system failures. After the outage, when power was eventually restored to computers, it wasn't automatically restored to the corresponding air conditioning units, so the temperature rose to 120 degrees. Those problems could have been avoided if the bureau and its contractors had fulfilled federal contingency plan requirements for events such as power outages, the report said.
BIA also didn't have the Interior Department's inventory management software on its computers, and didn't remove unauthorized software on its systems, the report said. "[I]n our judgment, these deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide the necessary oversight to ensure that bureaus and their contractors met federal and department IT security requirements."
Until it improves its cyber practices, "and OCIO strengthens its oversight role," BIA's data is "at high risk of compromise," the report said. That could have a "serious adverse effect on DOI operations and cause the loss of sensitive data. "
The watchdog recommended BIA create a better process for making sure its systems are up to date, and establish controls that would remove unauthorized software, among other steps. BIA and the Interior's Office of the CIO concurred with the recommendations.