The DHS Office of Inspector General found that the department’s information security program was not effective for FY 2019 because the department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4).
OIG rated DHS’ information security program according to five functions outlined in the 2019 reporting instructions:
- Identify: DHS received a Level 1 rating because it did not have an effective strategy or department-wide approach to manage risks for all of its systems.
- Protect: DHS achieved Level 4 as it was rated Level 4 in three of the four domains essential to this function.
- Detect: DHS received a Level 1 rating due to the lack of a comprehensive strategy and organization-wide continuous monitoring approach to address all requirements and activities at each organizational tier.
- Respond: DHS received a Level 1 rating because the Coast Guard had not reported its cybersecurity incidents to DHS since 2012.
- Recover: DHS received Level 3 because it had not made progress since prior years.
The OIG report blamed DHS’ regress in managing its information security program on a recent decision that was redacted in the public version of the report.
This decision, OIG said, adversely affected the Department senior leadership’s ability to make informed and risk-based decisions on essential cybersecurity activities such as risk management, weakness remediation, system inventory, incident reporting, and continuous monitoring.
OIG reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements. OIG conducted the evaluation according to fiscal year 2019 reporting instructions. The objective was to determine whether DHS’ information security program and practices adequately and effectively protected data and information systems supporting DHS’ operations and assets for FY 2019.
Out of five recommendations, three have redactions in the report. The other two are to enforce requirements for components to obtain authority to operate, test contingency plans, and apply sufficient resources to mitigate security weaknesses for both their unclassified systems and NSS, and recommending that the CISA CIO strengthen the component’s information security program by establishing necessary policies and procedures according to the NIST Cybersecurity Framework.
DHS concurred with all five recommendations.