oversight

Report on the Penetration and Vulnerability Assessment of CPSC's Information Technology Systems

Published by the Consumer Product Safety Commission, Office of Inspector General on 2019-06-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

    Office of Inspector General

  U.S. Consumer Product Safety Commission


  Report on the Penetration and
Vulnerability Assessment of CPSC’s
 Information Technology Systems


                                 June 11, 2019



19-A-08
Vision Statement

We are agents of positive change striving for continuous
improvements in our agency’s management and program
operations, as well as within the OIG.


Statement of Principles

We will:

Work with the Commission and the Congress to improve
program management;

Maximize the positive impact and ensure the independence and
objectivity of our audits, investigations, and other reviews;

Use our investigations and other reviews to increase
government integrity and recommend improved systems to
prevent fraud, waste, and abuse;

Be innovative, question existing procedures, and suggest
improvements;

Build relationships with program managers based on a shared
commitment to improving program operations and
effectiveness;

Strive to continually improve the quality and usefulness of our
products; and

Work together to address government-wide issues.
                                Office of Inspector General
                      U. S. CONSUMER PRODUCT SAFETY COMMISSION

                                                                             June 11, 2019

TO:           Ann Marie Buerkle, Acting Chairman
              Robert S. Adler, Commissioner
              Elliot F. Kaye, Commissioner
              Dana Baiocco, Commissioner
              Peter A. Feldman, Commissioner


FROM:         Christopher W. Dentel, Inspector General

SUBJECT:      Summary of Defense Point Security’s Penetration Testing

To assess the security of the United States Consumer Product Safety Commission’s
(CPSC) information technology (IT) infrastructure, the CPSC Office of Inspector
General (OIG) retained the services of Defense Point Security (DPS). Under a
contract monitored by the OIG, DPS conducted a penetration and vulnerability
assessment of the CPSC’s IT systems. The contract required that the assessment
be performed in accordance with the Council of the Inspectors General on Integrity
and Efficiency’s (CIGIE) Quality Standards for Inspection and Evaluation (QSIE).

In connection with the contract, we reviewed DPS’s report and related
documentation and inquired of its representatives. Our review was not intended to
enable us to express, and we do not express, an opinion on the matters contained
in the report. DPS is responsible for the attached report. However, our review
disclosed no instances where DPS did not comply, in all material respects, with
CIGIE’s QSIE.

DPS obtained an understanding of CPSC systems, controls, and vulnerabilities
sufficient to prioritize the risks and vulnerabilities identified. This prioritization will
assist CPSC management in prioritizing the remedial actions necessary to
ameliorate the IT security risks found by DPS.

DPS noted 17 findings and made 40 recommendations. Due to the sensitive nature
of the information contained in their report and our desire to not provide a roadmap
for penetrating the CPSC’s IT security, this office is publishing a brief summary of
the report rather than the report itself.

Should you have any questions, please contact me.
                                                            Report on the Penetration and
                                                       Vulnerability Assessment of CPSC’s
                                                         Information Technology Systems
June 11, 2019                                                                   Summary
 Objective                                              Assessment

 The objective of this penetration test was to          On the basis of our assessment, we determined
 assess the security of the United States               that the CPSC’s security controls require
 Consumer Product Safety Commission’s (CPSC)            improvement to more effectively detect and
 information technology (IT) infrastructure by          prevent certain cyberattacks.
 identifying, cataloging, and safely exploiting
 security vulnerabilities. This test should assist      During the time DPS was performing its
 the CPSC in identifying and prioritizing remedial      assessment, the CPSC experienced an unrelated
 efforts that will improve the agency’s security        network outage which led to a suspension of
 posture by eliminating security weaknesses that        fieldwork. Also, early on in the testing phase
 could have a significant negative impact on the        DPS discovered improperly posted sensitive
 confidentiality, integrity, and availability of        information which was publicly accessible via
 agency information systems and data.                   widely-used search engines and CPSC.gov. DPS
                                                        notified the CPSC immediately about this
 Background                                             discovery.

 This engagement required the contractor,               We shared the results of this assessment with
 Defense Point Security (DPS), to obtain an             CPSC senior management and IT staff during the
 understanding of CPSC systems, controls, and           engagement and at a meeting on May 6, 2019.
 vulnerabilities sufficient to prioritize the risks     Management generally concurred with our
 and vulnerabilities identified. This prioritization    observations. We have addressed their
 will allow CPSC management to make an                  comments about the report as appropriate.
 informed determination on which remedial steps
 to perform and the order in which to perform           We noted that the CPSC’s web application
 them.                                                  protections were generally sound at the time of
                                                        testing. However, as part of our wireless,
                                                        internal, and physical assessments, we found
 The report addresses:                                  multiple security risks which in combination
                                                        create a substantial risk to agency systems and
                                                        data.
 CPSC Cross-Cutting Strategic Priority
 #3:
                                                        We provided 40 actionable recommendations.
                                                        These recommendations address issues of
 Information Technology                                 physical security, controls over sensitive
                                                        information, system configuration,
 Office of Inspector General                            authentication, and other system security
 Management Challenge #4:                               issues. When completed, these
                                                        recommendations will significantly improve the
 Information Technology Security                        information technology security posture of the
                                                        CPSC. Management has already implemented
                                                        some of the recommendations.



Penetration and Vulnerability Assessment of CPSC’s IT Systems (19-A-08)                                   1
Appendix B: Agency Response




Penetration and Vulnerability Assessment of CPSC’s IT Systems (19-A-08)   2
                                 CONTACT US

If you want to confidentially report or discuss any instance of misconduct, fraud,
waste, abuse, or mismanagement involving the CPSC’s programs and operations,
please contact the CPSC Office of Inspector General.




Call:
Inspector General's HOTLINE: 301-504-7906
                         Or: 1-866-230-6229




Click here for complaint form.



Click here for CPSC OIG website.




Or Write:

Office of Inspector General
U.S. Consumer Product Safety Commission
4330 East-West Highway, Room 702
Bethesda MD 20814