Office of Inspector General U.S. Consumer Product Safety Commission Report on the Penetration and Vulnerability Assessment of CPSC’s Information Technology Systems June 11, 2019 19-A-08 Vision Statement We are agents of positive change striving for continuous improvements in our agency’s management and program operations, as well as within the OIG. Statement of Principles We will: Work with the Commission and the Congress to improve program management; Maximize the positive impact and ensure the independence and objectivity of our audits, investigations, and other reviews; Use our investigations and other reviews to increase government integrity and recommend improved systems to prevent fraud, waste, and abuse; Be innovative, question existing procedures, and suggest improvements; Build relationships with program managers based on a shared commitment to improving program operations and effectiveness; Strive to continually improve the quality and usefulness of our products; and Work together to address government-wide issues. Office of Inspector General U. S. CONSUMER PRODUCT SAFETY COMMISSION June 11, 2019 TO: Ann Marie Buerkle, Acting Chairman Robert S. Adler, Commissioner Elliot F. Kaye, Commissioner Dana Baiocco, Commissioner Peter A. Feldman, Commissioner FROM: Christopher W. Dentel, Inspector General SUBJECT: Summary of Defense Point Security’s Penetration Testing To assess the security of the United States Consumer Product Safety Commission’s (CPSC) information technology (IT) infrastructure, the CPSC Office of Inspector General (OIG) retained the services of Defense Point Security (DPS). Under a contract monitored by the OIG, DPS conducted a penetration and vulnerability assessment of the CPSC’s IT systems. The contract required that the assessment be performed in accordance with the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) Quality Standards for Inspection and Evaluation (QSIE). In connection with the contract, we reviewed DPS’s report and related documentation and inquired of its representatives. Our review was not intended to enable us to express, and we do not express, an opinion on the matters contained in the report. DPS is responsible for the attached report. However, our review disclosed no instances where DPS did not comply, in all material respects, with CIGIE’s QSIE. DPS obtained an understanding of CPSC systems, controls, and vulnerabilities sufficient to prioritize the risks and vulnerabilities identified. This prioritization will assist CPSC management in prioritizing the remedial actions necessary to ameliorate the IT security risks found by DPS. DPS noted 17 findings and made 40 recommendations. Due to the sensitive nature of the information contained in their report and our desire to not provide a roadmap for penetrating the CPSC’s IT security, this office is publishing a brief summary of the report rather than the report itself. Should you have any questions, please contact me. Report on the Penetration and Vulnerability Assessment of CPSC’s Information Technology Systems June 11, 2019 Summary Objective Assessment The objective of this penetration test was to On the basis of our assessment, we determined assess the security of the United States that the CPSC’s security controls require Consumer Product Safety Commission’s (CPSC) improvement to more effectively detect and information technology (IT) infrastructure by prevent certain cyberattacks. identifying, cataloging, and safely exploiting security vulnerabilities. This test should assist During the time DPS was performing its the CPSC in identifying and prioritizing remedial assessment, the CPSC experienced an unrelated efforts that will improve the agency’s security network outage which led to a suspension of posture by eliminating security weaknesses that fieldwork. Also, early on in the testing phase could have a significant negative impact on the DPS discovered improperly posted sensitive confidentiality, integrity, and availability of information which was publicly accessible via agency information systems and data. widely-used search engines and CPSC.gov. DPS notified the CPSC immediately about this Background discovery. This engagement required the contractor, We shared the results of this assessment with Defense Point Security (DPS), to obtain an CPSC senior management and IT staff during the understanding of CPSC systems, controls, and engagement and at a meeting on May 6, 2019. vulnerabilities sufficient to prioritize the risks Management generally concurred with our and vulnerabilities identified. This prioritization observations. We have addressed their will allow CPSC management to make an comments about the report as appropriate. informed determination on which remedial steps to perform and the order in which to perform We noted that the CPSC’s web application them. protections were generally sound at the time of testing. However, as part of our wireless, internal, and physical assessments, we found The report addresses: multiple security risks which in combination create a substantial risk to agency systems and data. CPSC Cross-Cutting Strategic Priority #3: We provided 40 actionable recommendations. These recommendations address issues of Information Technology physical security, controls over sensitive information, system configuration, Office of Inspector General authentication, and other system security Management Challenge #4: issues. When completed, these recommendations will significantly improve the Information Technology Security information technology security posture of the CPSC. Management has already implemented some of the recommendations. Penetration and Vulnerability Assessment of CPSC’s IT Systems (19-A-08) 1 Appendix B: Agency Response Penetration and Vulnerability Assessment of CPSC’s IT Systems (19-A-08) 2 CONTACT US If you want to confidentially report or discuss any instance of misconduct, fraud, waste, abuse, or mismanagement involving the CPSC’s programs and operations, please contact the CPSC Office of Inspector General. Call: Inspector General's HOTLINE: 301-504-7906 Or: 1-866-230-6229 Click here for complaint form. Click here for CPSC OIG website. Or Write: Office of Inspector General U.S. Consumer Product Safety Commission 4330 East-West Highway, Room 702 Bethesda MD 20814
Report on the Penetration and Vulnerability Assessment of CPSC's Information Technology Systems
Published by the Consumer Product Safety Commission, Office of Inspector General on 2019-06-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)