The Office of the Chief Information Officer does not perform required security testing on the COE, the IG also concluded.
It said OCIO does not ensure that all computer servers connected to the COE are scanned for vulnerabilities or that identified weaknesses are remediated – estimating, based on a random sample, that a third of department computers could have critical issues.
The CIO agreed with recommendations to enforce password complexity requirements, and monitor periodic exercises that test COE users’ knowledge of security requirements when accessing emails on the government network.
The CIO also agreed to use automated tools, such as vulnerability scanners or web application scanners to monitor applications residing in the COE on a constant basis, andrequire each operating administration (OA) to mitigate vulnerabilitiesin its system or remove the systems from the network; develop and maintaina registry of authorized network devices accessible to staff who monitor departmental networks; ensure the system owners perform regular vulnerability assessments and scans of all internal systems to identify known vulnerabilities and common misconfigurations, and establish a practice to ensure that OAs and OCIO are collaborating and agreeing on remediation plans and, perform annual penetration testing.
