GSA’s IT security patching for high-risk vulnerabilities are not done quickly enough, the agency’s inspector general has said after looking into whether the agency developed, documented, and implemented a comprehensive agency-wide information security program that addresses risks in the current IT environment.
It found that for newly deployed systems, the Public Buildings Service lacks procedures to ensure that system officials would be able to recover data and restore the system in the event of a contingency. Further, the Office of the CIO lacks comprehensive guidance for the secure development of mobile applications to mitigate mobile threats, the IG said.
It said management agreed with recommendations to conduct additional oversight of patch management to ensure that officials are addressing vulnerabilities of GSA systems quickly, to work with PBS to ensure PBS develops and implements a process for testing the restoration of system backups before new systems are deployed, and to create guidance to help GSA system officials in securely developing applications for mobile platforms.
