The General Services Administration Office of Inspector General recently conducted an audit of the agency’s robotic process automation program and has found issues with its security.
In its Aug. 6 audit report, the OIG flagged the RPA program’s non-compliance with GSA IT security requirements, the agency’s failure to consistently update system security plans to address RPA bot access and the lack of a process for removing decommissioned bots, which put GSA systems at potential risk of data exposure.
The OIG noted that although the GSA’s chief financial officer and chief information officer did not entirely agree with the results of the report, they did agree with the recommendations.
The recommendations stemming from the audit include the GSA assessing CIO-IT Security-19-97, the agency’s procedural security guide for RPA, to ensure that its controls are effective and properly implemented; the agency developing oversight mechanisms to enforce compliance with RPA policy; and the agency requiring the updating of system security plans as part of the RPA security approval process to address bot and non-person entity access.
GSA’s implementation of RPA is part of a broader effort to encourage federal agency use of the technology to reduce repetitive administrative tasks.