This page contains information about recommendations that remain open because the OIG determined that the the Department had not fully implemented corrective actions. The OIG reports the funds put to better use, questioned costs, restitution, funds returned to the Department, and penalties and court costs associated with all recommendations in its Semiannual Reports to Congress.
Open Recommendations
Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:17A. Identify all servers, workstations, and networked devices within the WARS boundary that are necessary for its successful operation. Remove any unnecessary assets, update system documentation to include relevant details, monitor the WARS for future changes, and maintain an accurate asset list.
Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:B. Upgrade or replace unsupported software and install the latest security updates/patches for all servers, workstations, and networked devices within the system boundary.
Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions: C. Install endpoint protection software on all applicable servers, workstations, and networked devices and ensure that this software can receive regular updates.
Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.
We continue to recommend that the Manager, ORNL Site Office, direct the contractor responsible for operating the WARS to implement security controls to correct the identified vulnerabilities by taking the following actions:D. Disable unencrypted services and replace them with alternate services that are configured to use strong encryption. Establish a configuration monitoring process to prevent future use of unencrypted services and services using weak encryption settings.
Enhance operational procedures of the vulnerability management program to demonstrate alignment with Binding Operational Directive 22-01.
"Finalize implementation of the updated vulnerability management plan to ensure corrective actions for vulnerabilities identified are applied to effectively implement patches and fixes, as required. If required remediation timelines cannot be adhered to, consistently document the risk acceptance, business rationale, and/or technical issue(s) related to vulnerability remediation."