Active Directory Oversight Needs Improvement

The Chief Information Officer should coordinate with Facilities Management and Security Services to ensure that computer rooms housing ISRP domain controllers are immediately updated to comply with IRM and Federal requirements for Limited Areas, fire safety and suppression, and emergency power.

The Chief Information Officer should physically separate the submission processing equipment from the ISRP domain controllers and enforce access standards for critical areas.

The Chief Information Officer should prioritize all computer rooms housing ISRP domain controllers for access control upgrades to ensure that these rooms are compliant with Federal multifactor authentication requirements.

The Chief Information Officer should ensure that the Applications Development function follows procedures for conducting reviews of the vulnerability scan reports and establishes procedures for verifying and reviewing credentialed vulnerability scan reports.

The Chief Information Officer should ensure that service account passwords for the vulnerability scanning tool are reset, as needed, to allow for credentialed scans and regularly complete credentialed scans for ISRP domain controllers.