The Office of Inspector General (OIG) says U.S. Citizenship and Immigration Services (USCIS) did not apply the access controls needed to restrict unnecessary access to its systems, networks, and information.
Access controls help to limit individuals from gaining inappropriate access to systems or data. But an OIG audit has found that USCIS did not consistently manage or remove access for its personnel once they departed positions and did not have a process to adequately verify access after personnel transferred offices within USCIS.
As part of the audit, OIG tested a statistical sample of all separated personnel from FY 2021. Access for separated personnel is required to be disabled immediately, but OIG determined that 98 of 297 (33 percent) separated personnel had access to the USCIS network beyond 24 hours of departure. Of the 98 separated personnel, 48 had access for at least 22 days after leaving.
In addition, the watchdog determined that USCIS did not take all necessary steps to ensure privileged user access was appropriate and did not adequately manage and monitor service account access. OIG said the deficiencies stemmed from insufficient internal controls and day-to-day oversight to ensure access controls are administered appropriately and effectively to prevent unauthorized access.
The Department of Homeland Security (DHS) has issued departmental guidance requiring all service account passwords to be changed annually to help protect accounts from compromise. The longer a password exists, the higher the risk that the service account may be compromised by an attacker. Therefore, periodically changing passwords is important because they are often the first line of defense against intruders or insiders who attempt to gain unauthorized access to a DHS system. OIG found USCIS did not meet requirements to change passwords for service accounts. The watchdog’s report on its findings notes that 653 service accounts had passwords that had not been changed in over one year. In fact, 338 of these account passwords had not been changed for over five years.
Inadequate security settings on IT equipment may limit an agency’s capability to overcome a major cybersecurity incident. Based on OIG’s testing, USCIS did not implement all the required security settings and updates for its IT systems and workstations to help reduce the impact if access control weaknesses are exploited. Although USCIS systems and workstations were generally compliant with required security standards, the audit found that not all required settings and updates were implemented due to concerns that they may negatively impact system operations. For example, OIG found one system that had eight unique critical vulnerabilities, with 27 critical vulnerability instances and 140 unique high vulnerabilities, with 2,070 high vulnerability instances.
Lastly, while USCIS appropriately relied on departmental guidance for access control policies and procedures, OIG found the guidance to be outdated and lacking the latest Federal requirements.
Without effective access controls to review, remove, and manage personnel’s access to its systems, OIG is concerned that USCIS is at increased risk of unauthorized individuals gaining access to sensitive information. Consequently it has made numerous recommendations ot DHS, with which the agency has concurred.
These include improvements in patching procedures. USCIS established a Vulnerability Management Team on December 13, 2021, to improve its vulnerability management process by coordinating vulnerability remediation and patching efforts between various teams across the enterprise. This project is aimed at identifying significant gaps that exist within the current process and is due to complete by April 2023.
Actions to address OIG’s other recommendations include an analysis against existing service accounts to determine the appropriate owners, quarterly training, and policy updates.