GSA risks exposing systems and data due to weaknesses with RPA program, IG says
The General Services Administration’s robotic process automation (RPA) program is at risk of exposing agency systems and data to bots, and stronger security measures need to be put into place for the program, according to the agency’s inspector general.
In a Tuesday report, GSA’s Office of the Inspector General stated that the agency’s RPA program did not comply with IT security requirements to “ensure bots are operating securely and properly.” The agency reportedly did not update system security plans to manage bots’ access and removed or modified security requirements instead of addressing these issues, according to the OIG’s report.
The watchdog found a slew of security issues with the bots ranging from the agency not establishing a process for removing access to decommissioned bots to a lack of monitoring and reporting bot-related activity.
The OIG pointed to an executive guide for the federal RPA community of practice — which is housed within GSA — as a resource agencies should use to employ a secure framework for operating RPA programs with established guardrails.
However, the report says GSA did not follow monitoring requirements within that guidance that include performing baseline monitoring to “alert RPA program management if a bot was accessing, reading writing or moving more data than authorized,” collecting weekly log reviews to identify any errors with logic or processing in each bot’s operation, and annual bot reviews so the agency could approve each bot’s continued use on agency systems.
Additionally, the IG reported reviewing the security plans for 16 agency systems that bots had access to and found that none of the security plans were updated to address how bots were accessing the systems. Seven of the system security plans did not even mention bots. And, 10 of the system security plans “failed to list and authorize non-person entities’ access to the systems.”
However, GSA pushed back on some of the inspector general’s conclusions. In response to the OIG’s finding that “a bot could erroneously delete or overwrite thousands of records before GSA could even identify that an issue has occurred,” the agency provided a clarification that it would be “technically impossible” for a bot to do that because of the agency’s controls. Additionally, GSA provided a list of comments on the findings, including additional context, updates and further clarifications.
“We do not entirely agree with the findings,” the agency said in response to the findings. “Because there is no federal guidance, as the agency has expanded to the size and scope of the RPA program, GSA has intentionally iterated on our security protocols to address new and emerging challenges in this novel space and is developing the security playbook that is being broadly leveraged across the government. GSA operational processes and capabilities have avoided any RPA-related security incidents to date.”