• November 21, 2024
GSA Audit Says RPA Program ‘Did Not Comply’ with Its Own Security Requirements

The U.S. General Services Administration (GSA) released a report recently on the results of an internal audit of its RPA program warning of security gaps. The agency was one of the first to embrace the technology after a 2018 Office of Management and Budget report recommended the tool for federal use.

As the department that manages and supports the basic business functioning of the federal government, the GSA was tasked with evangelizing for RPA throughout the bureaucracy, actually wrote the playbook for all federal agencies looking to implement the automation technology and established a “community of practice” to explore opportunities to leverage RPA across all federal government entities.

According to the audit, however, the GSA’s own RPA program poses “unique risks” to GSA’s systems and data.

“We found that GSA’s RPA program did not comply with its own IT security requirements to ensure that bots are operating securely and properly,” wrote the Office of the Inspector General in the report. “GSA also did not consistently update system security plans to address access by bots. Instead of addressing these issues, RPA program management simply removed or modified the requirements. Lastly, GSA’s RPA program did not establish an access removal process for decommissioned bots, resulting in prolonged, unnecessary access that placed GSA systems and data at risk of exposure.”

Additionally, the report said the GSA lacked evidence to support its claim that it was saving more than 240,000 work hours annually. The entire report is available here.