Editor’s Note: The Department of Commerce’s OIG/Office of Audit and Evaluation Final Report No. OIG-12-035-A is attached here. The Report’s summaries of Findings and Recommendations are reprinted below.
From: Commerce OIG FISMA audit report for NTIA
WHAT WE FOUND
Fundamental steps for securing NTIA’s information and systems have not been taken. When assessing seven NTIA systems, we found these deficiencies:
(1) inadequate security categorizations that jeopardize critical bureau information, (2) significant weaknesses in IT software and hardware inventory practices, (3) major inadequacies in NTIA’s process to remediate security weaknesses, (4) weaknesses in managing its IT security workforce and developing effective IT security policies and procedures, and (5) significant deficiencies in key IT security controls. These issues have resulted in ineffective management of security controls needed to protect NTIA’s systems and information.
WHAT WE RECOMMEND
The Assistant Secretary for Communications and Information should ensure:
1. The authorization status of NTIA’s systems is revised to interim authorization to operate until these activities have been completed:
a. System owners and NTIA officials collaborate to identify and categorize all information types that are processed, stored, or transmitted by each system and categorize each system accordingly.
b. System owners develop and maintain an accurate hardware and software inventory for their systems.
c. NTIA implements and assesses appropriate IT security controls.
d. NTIA follows the plan of action and milestones process required by the Department’s IT security policy.
2. System owners, IT security officers, authorizing officials, and other staff with critical IT security roles are appropriately trained, earn certifications as required by Department policy, and have the required metrics incorporated into their performance plans.
3. NTIA’s chief information officer and IT security officer develop and maintain NTIA security policies, procedures, standards, and guidance consistent with departmental and federal requirements.
Leave a Reply