Submitting OIG:
Report Description:
For our audit of the Department's multifactor authentication (MFA) for its high value assets (HVA), our objective was to determine whether the Department has implemented MFA for its HVAs in accordance with zero trust architecture (ZTA) principles.
To address this objective, we determined the extent to which four selected bureaus had implemented MFA for their HVAs in accordance with Office of Management and Budget requirements.
The four selected bureaus were the Bureau of Economic Analysis (BEA), the U.S. Census Bureau (Census), the National Institute of Standards and Technology (NIST), and the National Telecommunications and Information Administration (NTIA).
We were able to exploit a weak MFA implementation to gain access to one NTIA system through a simulated phishing attack. We also found that none of the five selected HVAs had fully implemented all three OMB requirements:
1. phishing-resistant MFA,
2. application-layer MFA, and
3. modern password policies.
Specifically, we found:
I. NTIA Did Not Implement Adequate MFA to Protect an HVA Against Phishing Attacks
II. Selected Bureaus Had Not Fully Implemented MFA for Their HVAs in Accordance with ZTA Principles
Date Issued:
Monday, January 22, 2024
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
OIG-24-009-A
Component, if applicable:
Office of the Secretary
Location(s):
Agency-Wide
Type of Report:
Audit
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
8
Report updated under NDAA 5274:
No
View Document:
Attachment | Size |
---|---|
OIG-24-009.pdf | 5.08 MB |
Additional Details Link: