An Inspector General’s review of DHS’s Information Security Program has found that it could protect its information and systems more effectively.
According to the report, which examined the agency’s information systems in FY 2017, three out of five areas within the program fell below target levels, within Federal Information Security Modernization Act (FISMA) reporting instructions. The inspector general stated that unless further oversight is introduced DHS cannot ensure its systems adequately protect the sensitive data they store and process.
Under the FISMA reporting instructions, information systems programs should be meeting “managed and measurable” standards, defined as Level 4 maturity, within five key areas. These are broadly divided into identify, protect, detect, respond and recover.
The OIG found that within the “identify” function, 64 systems lacked the valid authority to operate, and security weaknesses were not being remediated in a timely fashion.
It also found that DHS did not implement all the settings needed to protect component systems, continued using unsupported operating systems and did not apply security patches to mitigate critical and high-risk vulnerabilities. The report found that software licenses for unclassified systems were not always monitored and that DHS relied on data calls to monitor national security systems.
OIG also reported that the agency did not test all system contingency plans, develop procedures for handling sensitive information or identify alternate facilities to recover processing in the event of service disruptions.
It made five recommendations to the DHS CIO, which include pursuing alternate strategies for ensuring that components accomplish planned actions, enforcing requirements for components to have contingency plans in place, and revising the information systems continuous monitoring strategy. OIG noted that DHS has taken steps to resolve all five recommendations, and only four remain open pending documentary evidence that they have been completely resolved.