This page contains information about recommendations that remain open because the OIG determined that the the Department had not fully implemented corrective actions. The OIG reports the funds put to better use, questioned costs, restitution, funds returned to the Department, and penalties and court costs associated with all recommendations in its Semiannual Reports to Congress.
Open Recommendations
Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.
Ensure application security controls are implemented in the WAPA development Portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
Update existing web application security risk assessment and testing processes for the WAPA Portal and remediate known web application vulnerabilities.
Update the vulnerability identification and software patch management process to ensure vulnerabilities are appropriately monitored and patches are applied in a timely manner.
Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.
Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.
Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.
Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.
Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.