An Office of Inspector General (OIG) review has found that the Transportation Security Administration (TSA) did not implement effective technical controls to protect the sensitive information processed by a High Value Asset (HVA) system.
In recent years, the federal government has seen numerous information security incidents affecting the integrity, confidentiality, and/or availability of government information, systems, and services. OIG and the U.S. Government Accountability Office have both identified preventing cyberattacks as a major management and performance challenge. In response to these threats, in 2015, the Office of Management and Budget created the HVA security initiative, which required large federal agencies to identify their most critical assets. HVAs include federal information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to national security interests, foreign relations, the economy, safety, and the security of the American people.
Across the federal government, various departments including the Department of Homeland Security and its components operate HVA systems that contain sensitive information and/or support critical services.
In OIG’s review and testing of TSA’s HVA, security deficiencies were identified in 8 of 10 security and privacy controls from the National Institute of Standards and Technology (NIST) Special Publication 800-53. The deficiencies were found in configuration management, risk assessment, supply chain risk management, access control, planning, awareness and training, assessment, authorization, and monitoring, and contingency planning. The two areas where no deficiencies were found were incident response, and audit and accountability.
OIG is concerned that TSA cannot ensure it will be able to quickly detect, respond to, and recover from a cyber attack, and is calling on the agency to strengthen its management of the HVA system.
During the review, OIG found that TSA did not ensure all known software updates were promptly applied to the assessed servers and workstations to remediate critical and high-risk vulnerabilities, as required by DHS. Through vulnerability assessments of the HVA system, inspectors identified 274 unique critical and high-risk vulnerabilities on servers and workstations. OIG said TSA had not addressed these vulnerabilities within DHS’ remediation compliance timeframes. For example, inspectors identified three unique vulnerabilities (two critical and one high-risk) related to a specific weakness that occurred 99 times.
TSA told OIG that in May 2022, its vulnerability management software became unable to deploy patches to more than 700 workstations because these workstations were configured with the same Globally Unique Identifier. Additionally, TSA officials stated that the component’s vulnerability assessment software applications had not been able to communicate with, and collect data from, these workstations since August 2022.
OIG also found that TSA does not maintain a current list of the selected HVA system users and their authorized level of access. NIST requires that the types of accounts allowed and specifically prohibited for use within a system be defined and documented. OIG also found that TSA does not have an effective process to manage user account access for the HVA system when employees and contractors separate from the component.
Since OIG completed its review, TSA has taken steps to correct the deficiencies identified. Measures include applying security patches to remediate the vulnerabilities identified. TSA officials also told OIG that the component is working to strengthen its policies and procedures covering areas such as user account management, supply chain risk management, and contingency planning.
OIG made 12 recommendations in its report to TSA. TSA agreed and set out plans to meet 11 of these by August 30, 2024. Work to address the remaining recommendation, to develop and implement a supply chain risk management plan to address and mitigate risks associated with the hardware components and software being used on the HVA system, is already underway but likely to take longer to fully implement and TSA therefore estimates a completion date of August 29, 2025.