CBP did not always protect MPC apps from cybersecurity threats. This occurred because app version updates were not always scanned for vulnerabilities and CBP did not always identify vulnerabilities detected in scans. CBP also did not complete seven required security and privacy compliance reviews of MPC apps because it did not establish a schedule for the reviews or track and centrally store review documentation. In addition, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a process for a required internal audit. Finally, CBP did not implement Department server configuration requirements for its MPC servers. We made eight recommendations that, when implemented, should improve the security of CBP’s MPC program. CBP concurred with all eight recommendations.
Consistent with CDC guidance, most Office of Inspector General employees are currently serving the American people remotely. We are determined to keep interruptions to our operations to a minimum, and we appreciate your patience during this time.
Information and guidance about COVID-19 is available at coronavirus.gov.