Commerce OIG Report Finds Deficiencies in System Security Assessment and Continuous Monitoring Program
The US Commerce Department Office of Inspector General conducted an audit “to assess the effectiveness of the Department’s system security assessment and continuous monitoring program to ensure security deficiencies were identified, monitored, and adequately resolved.” The report concluded that the Commerce Department fell short in planning system assessments and in conducting effective assessments. In addition, the department did not resolve security control deficiencies within scheduled deadlines.
Most of the report points to problems with accuracy and completeness of the data in the CSAM tool Commerce (and many other government agencies) uses to meet reporting requirements. This often happens when operational tools are used for vulnerability scanning and inventory discovery and the customization and integration required has not been done in the reporting system to support direct import of timely and accurate data. You can push the button on the reporting tool and creates pages and pages of reports, but any audit finds these same problems.
Assessing the security posture of our information systems to ensure the security posture remains appropriate is a challenge for everyone and is easy to postpone. With the advent of more tools to verify security against baselines, it’s tempting to just install and walk away, rather than integrating them fully into your processes. Make sure that you not only have a view into the current security posture but also are tracking remediation efforts. Don’t forget to monitor your cloud services as well. Figure out how you’re going to track and remediate cloud and outsourced system security as part of the onboarding process, then verify they are being monitored and reviewed at least annually.