This page contains information about recommendations that remain open because the OIG determined that the the Department had not fully implemented corrective actions. The OIG reports the funds put to better use, questioned costs, restitution, funds returned to the Department, and penalties and court costs associated with all recommendations in its Semiannual Reports to Congress.
Open Recommendations
Update and implement vulnerability management procedures to ensure that security vulnerabilities involving anonymous access, default credentials, and vulnerable services are identified, monitored, and remediated.
Ensure application security controls are implemented in the MIS portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
We recommend that the Manager, Thomas Jefferson Site Office (TJSO), direct Jefferson Science Associates, LLC (JSA) to ensure application security controls are implemented in the Management Information System (MIS) portal to protect against known types of attacks, including cross-site scripting and unauthorized actions.
Update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.
We recommend that the Manager, TJSO, direct JSA to update existing web application security risk assessment and testing processes for the MIS portal and remediate known web application vulnerabilities.
Update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.
We recommend that the Manager, TJSO, direct JSA to update the vulnerability remediation process, including monitoring corrective actions for vulnerabilities identified during the scanning process and monitoring patching tools to ensure patches are applied as intended.
Enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.
We recommend that the Manager, TJSO, direct JSA to enhance operational vulnerability management procedures to include regular credentialed scanning and centralized software management to ensure vulnerabilities are appropriately monitored and patches are applied as intended.
Conduct an analysis or risk assessment that evaluates ransomware threats and the cost to fully recover from a ransomware event, including considerations in the Department’s guidance on Analyzing Ransomware Risk: A Blueprint for Quantification.