This page contains information about recommendations that remain open because the OIG determined that the the Department had not fully implemented corrective actions. The OIG reports the funds put to better use, questioned costs, restitution, funds returned to the Department, and penalties and court costs associated with all recommendations in its Semiannual Reports to Congress.
Open Recommendations
Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.
Enhance operational vulnerability and software patch management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner, or implement a risk acceptance or POA&Ms process.
We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied, as intended.
We continue to recommend that the Manager, Fermi Site Office, direct Fermi Research Alliance, LLC to enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are validated as unfixable, required for the mission, and mitigated to an acceptable risk with Authorizing Official concurrence.
Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.
We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:15A. Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process, monitoring vendor patch releases and end-of-life notifications, and monitoring patching tools to ensure patches are applied, as intended.
Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
We continue to recommend that the Manager, ORNL Site Office, direct ORNL to:B. Enhance operational vulnerability management procedures to ensure vulnerabilities that cannot be patched, such as configuration weaknesses and unsupported software, are investigated and resolved in a timely manner.
Ensure application security controls are implemented in the NARAC application to protect against known types of attacks. (21-LLNL-PT-01, Rec 1)
Update existing web application security risk assessment and testing processes for the National Atmospheric Release Advisory Center application and remediate known web application vulnerabilities. (21-LLNL-PT-01)