Across the federal government, various departments including the Department of Homeland Security (DHS) operate High Value Asset (HVA) systems that contain sensitive information and/or support critical services. HVAs include federal information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to national security interests, foreign relations, the economy, and public safety and security.
Recently, the Office of Inspector General (OIG) carried out a review to determine if U.S. Customs and Border Protection (CBP) implemented effective technical controls to protect the sensitive information that is stored and processed by a HVA system.
OIG found that CBP implemented most security and privacy controls tested for the selected HVA system, in compliance with applicable federal and DHS requirements. However, OIG identified deficiencies in 2 of 10 control families — Configuration Management and Supply Chain Risk Management (SCRM). Specifically, OIG determined that CBP did not have waivers or risk acceptance letters for noncompliant configuration management settings. OIG nevertheless determined that the overall compliance rate was effective.
The review also revealed that CBP did not implement a system-level SCRM plan as recommended by the most recent National Institute of Standards and Technology (NIST) guidance and required by the Office of Management and Budget. This occurred, OIG said, because DHS delayed development and publication of its department-level guidance instructing components to adopt the NIST controls, including system-level SCRM plans.
Although CBP implemented most controls for the HVA system and remediated vulnerabilities in the HVA databases, OIG said SCRM controls are needed in order to ensure that sensitive information stored and processed by HVA systems is fully protected and secure.
CBP has retired the HVA since OIG’s reviewand migrated the system from a server to a cloud-based environment as part of its modernization effort, which designated the HVA as a Federal Risk and Authorization Management Program (FedRAMP) system. Cloud-based FedRAMP systems do not have a required date for implementing SCRM controls. As a result, OIG is not recommending that CBP develop and implement a system-level SCRM plan for its HVA. The watchdog said however that until FedRAMP systems are required to implement SCRM controls and DHS instructs components to adopt the latest relevant NIST controls, there is a risk that sensitive information stored and processed by HVA systems may not be fully protected and secure.
CBP has also retired the servers that OIG found to have configuration management deficiencies.
