The External Network Perimeter Was Generally Secure, Though the Security of Supporting Components Could Be Improved

The Chief Information Officer should ensure that comprehensive and accurate inventories of information system components are maintained, including the GSS-1 inventory, that include the level of granularity necessary for tracking and reporting, and should implement improved procedures for ensuring that the inventory remains accurate and up-to-date.

The Chief Information Officer should improve processes to ensure that all vulnerability findings are reviewed, analyzed, and appropriately addressed within the required time frames.

The Chief Information Officer should ensure that the SRCO group improves its remediation tracking processes to include tracking the age of the vulnerability, creating monthly metrics to be used by management to assess the IRS's progress in vulnerability remediation, and implementing an escalation process that provides management visibility.