The Commerce Department has established a vulnerability disclosure program to help protect its public-facing IT systems, but a new report from the agency’s Office of Inspector General (OIG) reveals that the program is “not fully effective.”
According to the Nov. 20 audit, the Commerce Department established the vulnerability disclosure program to meet a directive from the Cybersecurity and Infrastructure Security Agency (CISA).
That directive called on every federal agency to set up a vulnerability disclosure policy (VDP) that allows members of the public to identify and report vulnerabilities on internet-accessible government systems.
“The Department established a vulnerability disclosure program; however, it was not fully effective,” the report says. “Specifically, the Department’s VDP did not include all internet-accessible systems, the VDP’s testing guidelines restricted the tools public security researchers could use to identify system vulnerabilities, the Department did not always fully remediate reported vulnerabilities, and the Department did not always remediate vulnerabilities within established deadlines.”
“Without an effective vulnerability disclosure program, the Department cannot safeguard its internet-accessible systems, leaving them susceptible to potential compromise and exploitation,” it adds.
The OIG explained that the department limited its VDP scope to a list of 64 internet-accessible websites, leaving out 22 department-owned or -operated websites.
Additionally, the OIG found that the VDP contractor’s reporting portal banned the use of automated scanners, which it said are “commonly used by public security researchers to identify vulnerabilities.”
The OIG also discovered that the department did not always fully remediate vulnerabilities in its assessment of 71 “resolved vulnerability disclosures.” The watchdog reproduced the vulnerabilities and found that 57 reported vulnerabilities (80%) were fully remediated, but 14 (20%) were not.
Notably, the OIG said that since 2023, the Commerce Department did not remediate vulnerabilities within established deadlines about 35% of the time.
The OIG made three recommendations to the Commerce Department. Those include revising the testing scope to align with CISA’s VDP policy, updating and implementing VDP procedures, and working with bureaus to implement an automated solution to prompt action on delayed vulnerability remediation. The Commerce Department concurred with the recommendations.