Attached for your review is the final report on the audit of the U.S. Department of Commerce’s (the Department’s) system security assessment process. The objective of this audit was to assess the effectiveness of the Department’s system security assessment and continuous monitoring program to ensure security deficiencies were identified, monitored, and adequately resolved.
We found the following:
I. The Department did not effectively plan for system assessments.
II. The Department did not consistently conduct reliable system assessments.
III. The Department did not resolve security control deficiencies within defined completion dates.
IV. The Department’s security system of record—i.e., the cyber security asset and management tool—did not provide accurate and complete assessment and plan of action & milestone data.
On December 22, 2021, we received the Department’s response to our draft report. We also received technical comments. Based on those technical comments, we made changes to the final report where appropriate. In response to the draft report, the Department concurred with all of the recommendations and described actions it has taken, or will take, to address them. The Department’s formal response is included within the final report as appendix D.
Pursuant to Department Administrative Order 213-5, please submit to us an action plan that addresses the recommendations in this report within 60 calendar days. This final report will be posted on OIG’s website pursuant to sections 4 and 8M of the Inspector General Act of 1978, as amended (5 U.S.C. App., §§ 4 & 8M). 2 We appreciate the cooperation and courtesies extended to us by your staff during our audit. If you have any questions or concerns about this report, please contact me at (202) 482-1931 or Chuck Mitchell, Director for Cybersecurity, at (202) 809-9528.
