Parts of the Interior Department’s computer system security measures are three years out of date.
A DoI Inspector General investigation found that access to privileged functions are not properly restricted, mobile devices are not encrypted, and DoI lacks the ability to inspect encrypted data altogether.
“These deficiencies occurred because DoI has not adopted [the National Institute of Standards and Technology’s] current standards and instead is following outdated standards,” the August 9 report said.
NIST released special publication 800-53 revision 4, a document that specifies required standards for these and more security measures governmentwide, in April of 2013. Agencies have one year from the date of release to be in compliance with the directive.
The OIG report stated that the logical access controls, which restrict access to privileged functions, did not meet NIST’s standards on eight out of nine systems tested. The OIG noted that general users were not restricted from these functions, which were not audited and included access to security measures, increasing risk from insider and advanced persistent threats.
In addition, the OIG found that independent audits of DoI’s systems in 2014 and 2015 discovered not only these deficiencies, but that DoI has no process to grant or remove access, did not disable inactive accounts, and did not perform account reviews to determine how many of these accounts existed. When KPMG, the auditor, recommended DoI implement these policies, DoI concurred.
Finally, smartphones and tablets were not encrypted, which endangered the “confidentiality and integrity of sensitive data,” the report said. According to a June audit of the department’s mobile devices, thousands of these unsecured phones and tablets exist without proper security configurations.
In fact, the OIG determined that DoI lacks the ability to analyze encrypted traffic altogether, as it has no decryption device, although it has plans to install one.
“Capabilities to analyze encrypted traffic are essential to detect malicious content or data exfiltration that often occurs over encrypted channels,” the report said. “This capability is especially critical because 40 percent of DoI’s Internet-bound network traffic is encrypted.”
It wasn’t all bad news, however. The OIG report said that DoI was in compliance of standards for multifactor authentication and software inventory.
The agency currently has no digital rights management standards because it’s not required to under federal regulations, the report said. DoI did request funding for DRM in its 2017 budget, but was denied.