GSA Should Strengthen the Security of Its Robotic Process Automation Program

Why We Performed This Audit

In 2018, the Office of Management and Budget recommended that federal agencies use robotic process automation (RPA) as a new technological tool to reduce repetitive administrative tasks. That same year, GSA established its RPA program to automate low-value, routine tasks, allowing its employees to spend more time on challenging work. RPA uses bots, which are software applications that simulate human actions to reduce repetitive administrative tasks. These bots interact with existing systems to copy data, fill in forms, sign into applications, and send emails. In 2019, GSA established the Federal RPA Community of Practice, which seeks to: (1) increase RPA adoption across the federal government and (2) help agencies overcome technical, management, and operational challenges that arise in designing and deploying an RPA program.

While RPA offers the potential to save time and improve productivity, the bots’ ability to perform thousands of read, write, and deletion actions at high rates of speed poses unique risks to GSA’s systems and data. This can make it difficult to identify logic and processing errors—and their associated consequences—before serious damage is done. As a result, we included this audit in our Fiscal Year 2022 Audit Plan. Our audit objective was to assess whether GSA’s RPA program complies with federal and Agency information technology (IT) security policies, procedures, standards, and guidance.

What We Found

GSA should strengthen the security of its RPA program. We found that GSA’s RPA program did not comply with its own IT security requirements to ensure that bots are operating securely and properly. GSA also did not consistently update system security plans to address access by bots. Instead of addressing these issues, RPA program management simply removed or modified the requirements. Lastly, GSA’s RPA program did not establish an access removal process for decommissioned bots, resulting in prolonged, unnecessary access that placed GSA systems and data at risk of exposure.

What We Recommend

We recommend that GSA’s Chief Financial Officer and Chief Information Officer:

1. Conduct a comprehensive assessment of GSA’s CIO-IT Security-19-97, IT Security Procedural Guide: Robotic Process Automation (RPA) Security, (RPA policy) to ensure, among other things, that its monitoring controls are effectively designed and implemented.
2. Develop oversight mechanisms to enforce compliance with the RPA policy and ensure that controls are operating effectively.
3. Require system security plans to be updated as part of the RPA security approval process to address bot and non-person entity access.
4. Review all system security plans that bots currently interact with to determine if they address bot and non-person entity access. Update the system security plans, as needed.
5. Establish procedures as part of the RPA security approval process that ensure system owners consider updating the security controls identified in Appendix A of the RPA policy.
6. Review all system security plans that bots currently interact with to determine if the security controls need to be updated. Update the system security plans, as needed.
7. Develop a comprehensive process for removing bot custodian and bot developer access for decommissioned bots and GSA systems that:
   1. Aligns with GSA’s CIO-IT Security-01-07, IT Security Procedural Guide: Access Control (AC) (access control policy);
   2. Tracks and documents that access has been removed; and
   3. Incorporates the process into the RPA policy.

In their response to our report, the Chief Financial Officer and Chief Information Officer agreed with our recommendations but did not entirely agree with our finding. The comments are included in their entirety in Appendix D.