NTIA IT security 'significantly' deficient, says OIG

Information technology systems at the National Telecommunications and Information Administration have significant deficiencies, according to a Sept. 7 report from the Commerce Department office of inspector general.

Among the problems highlighted in the report are poor security categorizations, weak software and hardware inventory practices, lacking remediation of security problems, mismanaged IT security personnel, and deficient IT security policies and procedures.

Report authors found five miscategorized NTIA systems that should have been categorized at a higher security impact level. Without a solid understanding of its assets, NTIA cannot accurately determine risks posed to the system and select appropriate security controls, says the OIG.

The agency also failed to properly identify all its hardware and software components. Auditors identified 44 servers that were not listed in NTIA's official inventory--almost double the number of officially reported servers. They also found two operating systems not listed in NTIA's official inventory, frequent instances of unsupported and outdated software and unauthorized movies and games associated with peer-to-peer file sharing.

The report says NTIA's action plan to correct IT security weaknesses is lacking. The agency must remediate vulnerabilities through the plan of action and milestones, or POA&M, process. However, report authors say NTIA was not using POA&Ms to document all known IT security weaknesses in five of its systems.

The agency failed to ensure its IT security workforce has the appropriate training and certifications. Eighty percent of workers with IT security responsibilities hadn't completed IT security training in the past 2 years. Ninety percent of those surveyed didn't have the certifications required by department policies, find report authors.

The agency is also vulnerable to cyber attacks. Auditors found 31 accounts, including 6 administrator accounts, with passwords that would never expire and never need to be changed. The OIG also found that 114 of 821 accounts that had not been accessed in 90 days but had not been disabled, despite department policies requiring accounts to be disabled after 30 days of inactivity.

Auditors also found that NTIA hasn't limited system and application functionality to ensure that only necessary services are enabled.

"We found 156 unique open ports on NTIA's workstations, and each port was identified on many different workstations," says the report which identified ports running unauthorized web servers, commonly used by malicious software and running suspicious software.

Report authors recommend NTIA Administrator Larry Strickling ensure the agency takes corrective action. System owners and NTIA officials should identify and categorize all "information types that are processed, stored, or transmitted by each system," develop and maintain an accurate inventory, assess and implement IT security controls, and follow NTIA security policies, say report authors. The agency should also ensure that all IT security personnel are appropriately trained and certified.

In response to the draft report, Strickling agreed with the IG's recommendations and agreed to implement the suggested actions.

UPDATE: A representative from NTIA contacted FierceGovernmentIT saying that many of the issues raised by the IG have been resolved by NTIA because the IG's inspection was in March. The report's appendix includes a letter from Strickling pointing to immediate steps NTIA took to address recommendations in the report, added the representative.

For more:
- download the report, "Significant IT Security Program Improvements Are Needed to Adequately Secure NTIA's Systems," (.pdf)

Related Articles:
There's something wrong with NASA cybersecurity
Outages of critical systems a problem at CBP, say auditors
SSA needs a plan for IT modernization, says GAO