Open Recommendations

Resolve the questioned costs described in this report and ensure that appropriate incurred cost audits are conducted prior to official contract closeout.

Resolve the questioned costs described in this report and ensure that appropriate incurred cost audits are conducted prior to official contract closeout.

Coordinate with the Corps to Further establish review controls where power accountants review individual projects at year end to ensure Construction in Progress projects are placed in service in a timely manner. Coordinate with the Corps to Establish review controls to ensure IDC is recorded only for eligible projects. Coordinate with the Corps to enhance existing procedures over review of power reports to ensure that all applicable revenue is included for each project. Coordinate with the Corps to Enhance existing procedures and related controls to ensure that items in the Construction in Progress accounts are placed in service in a timely manner.

Direct SNL to ensure MESA procurements of weapon products for use in nuclear weapons production are clearly identifiable in its records system and includes necessary attributes.

Enhance and implement review controls to ensure calculations are properly performed, data is appropriately captured, and errors are appropriately considered so that changes to the baseline are appropriately recorded.

Enhance and implement review controls to ensure calculations are properly performed, data is appropriately captured, and errors are appropriately considered so that changes to the baseline are appropriately recorded.

Refine and implement risk register procedures used in the Monte Carlo simulations to reduce the risk of administrative errors.

Refine and implement risk register procedures used in the Monte Carlo simulations to reduce the risk of administrative errors.

We recommend that the Manager, PPPO, direct the Deputy Manager, PPPO to:3. Refine and implement the policies and procedures of the control governing manual review of risk register data prior to submission of the change requests to allow for more precise and reasonable estimates of the environmental liability at PPPO.

We recommend that the Manager, PPPO, direct the Deputy Manager, PPPO to:3. Refine and implement the policies and procedures of the control governing manual review of risk register data prior to submission of the change requests to allow for more precise and reasonable estimates of the environmental liability at PPPO.

We recommend that the Manager, PPPO:4. Refine and implement the policies and procedures of the risk register review control to properly review, identify, and discuss inaccurate information and inputs to specific risks as part of risk register updates.

We recommend that the Manager, PPPO:4. Refine and implement the policies and procedures of the risk register review control to properly review, identify, and discuss inaccurate information and inputs to specific risks as part of risk register updates.

Refine the policies and procedures of the control governing manual review of census data prior to submissions to allow for a narrower degree of precision required to detect and correct errors or discrepancies between LBNL and Redwood in a timely manner

Refine the policies and procedures of the control governing manual review of census data prior to submissions to allow for a narrower degree of precision required to detect and correct errors or discrepancies between LBNL and Redwood in a timely manner

Enhance and implement existing polices and procedures to specifically assess the risk of misstatements presented by stale UCOs left uncosted as of the year-end financial reporting date.

Enhance and implement existing polices and procedures to specifically assess the risk of misstatements presented by stale UCOs left uncosted as of the year-end financial reporting date.

Enhance and implement existing polices and procedures to specifically assess the risk of misstatements presented by stale UCOs left uncosted as of the year-end financial reporting date.

We recommend that the Director, Office of Finance and Accounting, and the Office of Science’s Designated Financial Officer enhance and implement existing policies and procedures to specifically assess the risk of misstatement presented by stale UCOs left uncosted as of the year-end financial reporting date.

We recommend that the Manager, PPPO:7. Enhance communication down and across the entity's reporting line to readily obtain and provide evidence necessary to support the internal controls systems and demonstrate that "stale" undelivered order balances are still valid as of the year-end financial reporting date.

We recommend that the Manager, PPPO:7. Enhance communication down and across the entity's reporting line to readily obtain and provide evidence necessary to support the internal controls systems and demonstrate that "stale" undelivered order balances are still valid as of the year-end financial reporting date.

Implement procedures to ensure a complete and updated listing of administrative user accounts of Linux servers are included in the review process.

Define and implement a process for reviewing all Linux server administrators, including those found within the wheel group with root access.

Implement a formalized process to validate or follow up on account removal actions identified during the semi-annual review process to ensure that user accounts align with job responsibilities and least privilege concepts.

Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.

Implement system access authorization processes for Splunk administrators to include separation of duties controls. When separation of duties cannot be achieved for conflicting roles, assess the risk and document the control deviation and risk-based decisions.

Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.

Ensure that audit log collection and retention is implemented in accordance with Federal and site-level policies and procedures.

Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.

Ensure account passwords are reset, and documentation retained, whenever an individual with access to service accounts leaves BEA or is no longer in a role requiring such access.

Update and implement existing configuration management procedures for all servers, printers, and services on the production network to enforce changing default credentials before the server or printer is connected to the network.

Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.

We recommend that the Manager, Thomas Jefferson Site Office (TJSO), direct Jefferson Science Associates, LLC (JSA) to ensure application security controls are implemented in the Management Information System (MIS) portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

We recommend that the Manager, Thomas Jefferson Site Office (TJSO), direct Jefferson Science Associates, LLC (JSA) to ensure application security controls are implemented in the Management Information System (MIS) portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

We recommend that the Manager, TJSO, direct JSA to update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.

We recommend that the Manager, TJSO, direct JSA to update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.

We recommend that the Manager, TJSO, direct JSA to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.

We recommend that the Manager, TJSO, direct JSA to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.

We recommend that the Manager, TJSO, direct JSA to enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.

We recommend that the Manager, TJSO, direct JSA to enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.

Update the vulnerability remediation process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Update and implement existing configuration management procedures for all servers and services on the production network to enforce changing default credentials before the server is connected to the network.

Update and implement existing configuration management procedures for all servers and services on the production network to enforce changing default credentials before the server is connected to the network.

Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.

Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.

Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.

Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.

Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.

Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.

Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.

Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.

Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.

We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied, as intended.

We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are validated as unfixable, required for the mission, and mitigated to an acceptable risk with Authorizing Official concurrence.

Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.

Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.

Ensure application security controls are implemented in the NARAC application to protect against known types of attacks. (21-LLNL-PT-01, Rec 1)

Update existing web application security risk assessment and testing processes for the National Atmospheric Release Advisory Center application and remediate known web application vulnerabilities. (21-LLNL-PT-01)

Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.

Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.

Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.

Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.

We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions: C. Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.

We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions: C. Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.

We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:D. Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.

We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:D. Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.

Enhance operational procedures of the vulnerability management program to demonstrate alignment with Binding Operational Directive 22-01.

"Finalize implementation of the updated vulnerability management plan to ensure corrective actions for vulnerabilities identified are applied to effectively implement patches and fixes, as required. If required remediation timelines cannot be adhered to, consistently document the risk acceptance, business rationale, and/or technical issue(s) related to vulnerability remediation."

Conduct an analysis or risk assessment that evaluates ransomware threats and the cost to fully recover from a ransomware event, including considerations in the Department’s guidance on Analyzing Ransomware Risk: A Blueprint for Quantification.

"Develop and implement a process to perform continuous monitoring activities to
fully evaluate third-party providers’ information technology environments for security changes or threats."

Develop and conduct contingency plan and incident response testing exercises that include and/or mimic a ransomware event and incorporate the lessons learned into the site’s recovery and response capabilities.

Implement more effective oversight of data protection by the Information Technology Services Directorate, such as a review process, to determine what data should be backed up and ensure that appropriate corrective actions are taken.

Ensure that the contractual requirements included in applicable Department directives are flowed down to the support subcontractors or define specific reporting requirements for when an event occurs such as a ransomware attack.

Perform a comprehensive review of E3S for K-Area to identify whether there are gaps in access controls or SRS established procedures that have led to personnel accountability exceptions

Ensure additional compensatory measures are put in place and implemented to address any gaps identified based on the review

Implement monthly reviews of E3S exception logs to ensure timely identification of trends or determine the root causes of personnel accountability exceptions and address any issues identified

Ensure compensatory measures are put in place and implemented to address any gaps identified based on the comprehensive review performed in conjunction with the Savannah River Operations Office

Implement monthly reviews of E3S exception logs to ensure timely identification of trends or determine the root causes of personnel accountability exceptions and address any issues identified

Develop a tool to analyze the data in CBFish and identifying potential issues.

Identify the optimal size of the CO workforce to ensure that it is appropriate for the workload distribution.

Review the seven contracts that remain open as identified in the report, along with the expired contracts and agreements not included in our sample, and addressing the issues resulting in delayed closeout.

Develop and implement additional processes and controls to strengthen BPA’s oversight and monitoring of contracts such as training, tracking task status more accurately, and documenting justification for final disposition of task.

Update BPA’s policies and procedures to include a process for closing out IAAs and to establish specific closeout timeframes.

Evaluate the current design and operating effectiveness of the invoicing practices and revising, developing, or implementing a policy to strengthen and improve BPA’s overall approach to reviewing invoices.

Consider the use of a structured, documented self-assessment process to ensure compliance with applicable requirements and continuous improvement of the Program.

CO make a determination regarding the allowability of questioned costs identified in this report, recover those amounts determined to be unallowable, and determine whether additional steps are needed to validate the allowability of costs.