Cybersecurity assessment

Commerce Department IG: NOAA Has Several Vulnerabilities in Key Directories

The Department of Commerce inspector general said the National Oceanic and Atmospheric Administration had significant gaps in managing three active directories and failed to protect critical information.

According to a Commerce Department IG audit, NOAA’s National Environmental Satellite, Data and Information Service; National Weather Service; and National Marine Fisheries Service had accounts with excessive privileges and vulnerable end-of-life systems that are active. Specifically, auditors found that 58 accounts on over 200 computers had unneeded local administration privileges that allowed them to install malicious software, disable anti-virus applications and grant full data access.

The audit also found that 12 users had remote access to computers or make unintended security changes. The IG added that NOAA had vulnerable end-of-life systems still running, FedScoop reported.

Other issues found in the audit include nearly 300 enabled accounts that have not been used in the last two months, 48 outdated account passwords, 102 passwords with no expiration dates and 356 passwords

The IG office recommended NOAA’s chief information officer ensure that all active directory accounts adhere to a privilege guideline from the National Institute of Standards and Technology to ensure that users only have access to required functions. The CIO should also determine if line offices can use specialized security tools for periodic reviews and require compensating controls for service accounts that cannot regularly change passwords.

OIG also urges the NOAA CIO to create plans for upgrading or shutting down computers with end-of-life operating systems.

NOAA concurred with the recommendations and said it is actively working to address the vulnerabilities. The IG office also gave NOAA until April 4 to submit an action plan on how to apply the recommendations to the three reviewed systems.