Recently Released Report
U.S. Department of the Interior Web Hosting Services
In response to the 7-day outage of the OIG and DOI websites, which are hosted by the National Park Service (NPS), we initiated an inspection to determine the cause of the outage and to identify whether the length of the recovery was appropriate. We found multiple reasons and deficiencies that contributed to the website outage, including no written agreements between NPS, DOI, and OIG describing the roles and responsibilities of each entity and information systems that had not been properly authorized to operate, were outdated or missing security documentation, and had insufficient contingency planning to prepare for a major power failure.
NPS has a web hosting and content management system in its Lakewood, CO, data center referred to as the Denver Data Center Child System (DDC) that manages the content for NPS’ and DOI’s websites. According to the DDC system documentation, DDC is a subsystem of a larger system known as the NPS One General Support System (One GSS). Under a 2009 verbal agreement, NPS agreed to host DOI’s website in the DDC under a Cloud-based content delivery network. In 2012, OIG verbally accepted DOI’s offer to share web hosting and content management services, thus migrating OIG’s website to the DDC, but NPS was not informed of this decision. On January 1, 2014, the DDC experienced a power outage, leaving the DOI and OIG websites unavailable between January 1 and January 7, 2014.
During the inspection, we found three major issues contributing to the outage. First, we found that One GSS had not been properly authorized to operate because NPS inadequately assessed One GSS and the data the system hosts. Second, we found that NPS did not have an appropriate contingency plan in place to efficiently respond to and minimize damage and downtime from the outage. Third, we found that NPS, DOI, and OIG did not have written agreements for website hosting, system ownership, support to contingency planning, recovery timeframes, or funding. Neither NPS nor DOI staff knew the terms of the 2009 verbal agreement, and, because of the verbal agreement between DOI and OIG, OIG did not know that NPS hosted either the DOI or OIG website.
We offered 14 recommendations in total, 5 to DOI and 9 to NPS, focusing on establishing processes to assess system risk and properly authorize systems to operate, maintaining accurate and up-to-date documentation and contingency plans, and documenting service level agreements that assign roles and responsibilities to all entities involved in web hosting services.
Read the complete report here.