The Department of Homeland Security’s inspector general found that the DHS information security program was effective for fiscal year 2018 with the department earning the targeted maturity rating, “Managed and Measurable” (Level 4), in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3).
OIG reviewed DHS’ information security program for compliance with Federal Information Security Modernization Act requirements and conducted the evaluation according to this year’s reporting instructions.
The OIG’s objective was to determine whether DHS’ information security program and practices adequately and effectively protected data and information systems supporting DHS’ operations and assets for Fiscal Year 2018.
OIG rated DHS’ information security program according to five functions outlined in this year’s reporting instructions:
- Identify ─ Although some systems lacked authority to operate and security weaknesses were not remediated quickly, DHS achieved Level 4 by identifying cybersecurity risks through the systems security authorization process.
- Protect ─ DHS achieved Level 4 by implementing a patch management program to mitigate vulnerabilities. However, DHS did not apply patches timely to mitigate vulnerabilities; did not implement all configuration settings, as required; and was using unsupported operating systems.
- Detect ─ DHS was rated at Level 4 due to its process to detect potential incidents.
- Respond ─ DHS earned Level 4 by taking sufficient actions to respond to detected cybersecurity incidents.
- Recover ─ DHS received Level 3, its lowest rating, because it did not employ automated mechanisms to test all system contingency plans or identify alternate facilities to recover processing in the event of service disruptions.
OIG attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.
OIG recommend the DHS CISO:
- Enforce requirements for components to obtain authority to operate; test contingency plans; and apply sufficient resources to mitigate security weaknesses for both their unclassified systems and NSS.
- Establish detailed procedures to notify relevant stakeholders, including the Office of Inspector General and the Office of General Counsel, of non-PII related major incidents.
- Implement internal controls and perform quality reviews to validate that information security data input to DHS’ classified enterprise management system is complete and accurate.
DHS concurred with the three recommendations and is taking steps or has implemented actions to address them.
