U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Scanning and Remediation Processes Need Improvement

Report Information

Date Issued
Report Number
2022-20-006
Report Type
Audit
Joint Report
Yes
Participating OIG
Treasury Inspector General for Tax Administration
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View Report

Recommendations

The Chief Information Officer should establish an entity to oversee enterprise-wide vulnerability remediation to ensure that vulnerabilities are remediated within required time frames, Plans of Action and Milestones (POA&Ms) and Risk-Based Decisions (RBDs) are documented as required, and vulnerability remediation metrics are reviewed and reported to appropriate leadership.

xxx...

The Chief Information Officer should prioritize the remediation of vulnerabilities that exceeded remediation time frames.

The Chief Information Officer should Ensure that vulnerabilities that exceeded remediation time frames are documented with Plans of Action and Milestones (POA&Ms) or Risk-Based Decisions (RBDs) as required.

The Chief Information Officer should develop a process to ensure that network updates that affect vulnerability scanning are properly communicated