Positive Factors

• Efficient and cooperative coordination between NIH Incident Response Team (IRT) and eRA security staff to identify and remedy vulnerabilities
• Up-to-date system documentation helps identify where vulnerabilities exist and how best to remedy those vulnerabilities
• Security staff has the technical expertise required to remedy vulnerabilities
• eRA has security tools to help staff identify and remedy vulnerabilities, and test whether remedies patched a vulnerability

Negative Factors

• eRA is constantly vulnerable to security attacks, as affirmed by the General Accountability Office (GAO)
• Aging IT infrastructure leaves OER IT systems more vulnerable to security attacks and makes hardening systems that much more challenging.
• According to government mandate, all end-of-life hardware and software that are no longer supported by vendors must be replaced or re-platformed. 
• Increase in workload from multiple audits.
• GAO Audit
• Delays in onboarding contractor and Federal staff result in:
  • Coverage gaps -- the gap between the time staff leave and their position is backfilled.
  • Overburdened staff -- existing staff tasked with handling tasks assigned to staff who've left eRA.
  • Delays in projects -- not enough staff to handle the planned work.

• NIH Center for Information Technology (CIT)
• NIH Incident Response Team (IRT)
• NIH Institutes and Centers

• Building security into systems as they are developed - current eRA best practice
• Close coordination with NIH Incident Response Team
• Re-platforming old systems to modern technology platforms with fewer vulnerabilities (e.g. CMM)
• regular scans and patching
• OMB mandated end-of-life hardware and software retirement
• Customer Impact Report: https://confluence.era.nih.gov...

• eRA must continually update aging IT infrastructure to prevent expected (and unexpected) security attacks from other entities. 
• Continue to re-platform end-of-life systems, per government mandate.