During the pandemic, agencies were generally successful in securing networks for remote access, but a sample of a dozen organizations found that some cyber vulnerabilities had been overlooked.
A recent Government Accountability Office report said the greatest improvement needs were to assess all relevant IT security controls and improvements, and to fully document the necessary corrective actions. Agencies have better documented both their telecommuting security policies and relevant IT security controls and improvements.
In agency documentation, GAO researched system security plans, the results of security control assessments, corrective action plans, and whether or not agencies followed National Institute of Standards and Technology cybersecurity guidelines. , in particular SP 800-53.
“If agencies do not sufficiently document relevant security controls, assess controls, and fully document corrective actions for identified weaknesses in security controls, they are at increased risk of vulnerabilities in their View systems. GAO that provide remote access can be exploited, ”GAO wrote. .
A month before the report’s release, Jennifer Franks, director of information technology and cybersecurity at GAO, said the agency would expand its reviews to take into account recent efforts to improve risk in the business chain. procurement, citing the SolarWinds incident and Microsoft Exchange vulnerabilities as examples.
The GAO studied actions taken by 12 agencies and ultimately recommended action to six: the Securities and Exchange Commission, the Social Security Administration, the FBI, the Office of Personnel Management, and the Departments of Transportation and Homeland Security. The agencies studied for the report all support essential national functions that must continue in an emergency, have at least 1,000 employees, and at least 20% of their workforce is eligible for teleworking.
To keep workers connected, all agencies used virtual private networks while seven of them used direct access to applications. Five agencies used application portals and only one provided remote desktop access to teleworkers. Half of them allowed employees to use personal devices, and all allow employees with secure tokens, according to the report. Most agencies have reported getting around the challenges of the short expiration times of these tokens by creating more temporary credentials.
SEC, SSA, and Transportation each received a combination of the following recommendations:
- Document the relevant IT security controls and enhancements in the system security plan that provides remote access for telecommuting;
- Evaluate all IT security controls and enhancements relevant to the system that provides remote access for telecommuting;
- Evaluates and sufficiently documents the evaluation of IT security controls and enhancements relevant to the system that provides remote access for telecommuting; and
- Systematically monitor progress towards completion of corrective actions by including estimated completion dates in its action plan and milestones for the system that provides remote access for telecommuting.
“For example, from May 2021, [SSA] had not documented approximately half of the relevant controls and improvements in the plan. SSA IT security officials told us that the agency is reorganizing the components that make up the system providing remote access to agency employees and that due to the reorganization, they are not. had not updated the system security plan since 2016, ”GAO wrote. “The SSA, however, said the controls and improvements were in place.
He warned the SSA and SEC that until these agencies systematically document the network’s cybersecurity controls, officials will not have the information they need to make “credible, risk-based decisions about their systems.” of information”.
Other organizations studied but which did not generate recommendations are the Food and Nutrition Service of the Department of Agriculture; the Office of Indian Affairs, the National Park Service, the Federal Highway Administration, the IRS, the Federal Law Enforcement Training Centers, and the US Secret Service at DHS; and the Executive Office for Immigration Review at the Department of Justice.
GAO conducted the study between April 2020 and September 2021, as part of a provision in the CARES Act that requires the monitoring agency to report on its ongoing surveillance and surveillance efforts related to the pandemic of COVID-19.