The General Services Administration’s (GSA) robotic process automation (RPA) program has helped the agency to reduce repetitive administrative tasks, but a new report from the GSA Office of Inspector General (OIG) finds that the security of the program needs significant improvement.
GSA’s RPA program uses bots – or software applications that simulate human actions – to automate tasks such as copying data, filling out forms, and sending emails. However, the OIG said the bots’ ability to perform thousands of tasks at high speed “poses unique risks to GSA’s systems and data.”
“GSA should strengthen the security of its RPA program,” the report says. “We found that GSA’s RPA program did not comply with its own IT security requirements to ensure that bots are operating securely and properly. GSA also did not consistently update system security plans to address access by bots.”
“Instead of addressing these issues, RPA program management simply removed or modified the requirements,” it adds.
According to the report, GSA has an RPA security policy, but its RPA program did not comply with its own requirements regarding baseline monitoring, weekly log reviews, and annual bot reviews.
However, GSA officials told the OIG that many of the security requirements in its RPA policy “were not realistic and should not have been included in the policy.”
Additionally, the OIG found that GSA’s RPA policy required system security plans to address the system’s interaction with bots. Even so, the OIG reviewed the system security plans for 16 GSA systems that are accessed by bots and found that none of them were updated in accordance with the RPA policy.
“When GSA learned of the deficiencies in its system security plans during our audit, it removed the requirement to update the system security plans from its RPA policy,” the report reveals. “Instead of addressing the deficiencies, GSA revised the RPA policy by changing the requirement to update system security plans to ‘suggested actions.’”
Finally, the report finds that GSA’s RPA program “did not establish an access removal process for decommissioned bots, resulting in prolonged, unnecessary access that placed GSA systems and data at risk of exposure.”
The OIG offered seven recommendations to GSA, including that it conduct a comprehensive assessment of its RPA policy to ensure it is effectively designed and implemented. Additionally, the OIG recommended that GSA develop oversight mechanisms to enforce compliance with its RPA policy and develop a process for removing access for decommissioned bots.
GSA “did not entirely agree” with the OIG’s findings and offered additional context and clarifications. However, GSA agreed with all of the recommendations and is developing a plan to address each one.
