IG: Interior Fails to Comply with FDCC
Nearly One-Third of PCs Aren't Properly Configured It was a mandate for the Interior Department chief information officer: All offices and bureaus must fully comply with the Federal Desktop Core Configuration standards by Sept. 30, 2008, exactly a year ago. However, a just-released audit report by the Interior's inspector general reveals that nearly one-third of the department's tested computers failed to comply with minimum FDCC standards, a list of security settings recommended by the National Institute of Standards and Technology for PCs that are connected to a network of a government agency.Of 13 Interior Department offices visited by IG auditors who tested 560 computers running Microsoft Windows XP operating system between April and June, average compliance reached 90 percent or higher at five offices, 60 percent to 75 percent at three offices and below 60 percent at five offices. Only 45 percent of computers not centrally managed had proper FDCC settings.
In addition to examining compliance with FDCC standards, the IG found substandard conditions in server rooms, unauthorized network circuits and unauthorized network equipment. In the 20-page report, the IG published pictures of a password and user name tapped to a PC monitor, servers crowded into rooms also eused for storage space of a variety of articles and a bucket resting on network equipment and near an electrical outlet to catch water leaking from an above pipe attached to the ceiling.
Interior's cybersecurity division is charged with providing oversight, but lacks the necessary resources and expertise to conduct useful oversight function such as inspections, technical testing and monitoring, the report says. "Lack of oversight is a significant weakness in the department's overall information systems security program," the IG writes.
Among the IG's recommendations:
- Adding qualified IT security inspectors to the department's cybersecurity division,
- Leverage existing technology such as enterprise active directory to enable departmental oversight,
- Consolidate equipment in facilities designed to house computer equipment, and
- Standardize software products so software products so monitoring is easier and support costs are lower.