37.8 F
Washington D.C.
Thursday, December 1, 2022
spot_img

IG: DHS on Track to Implementing Cybersecurity Act

Rep. Bennie G. Thompson (D-MS),ranking member of the House Committee on Homeland Security, said this week the Department of Homeland Security’s (DHS) Office of Inspector General’s (IG) review of DHS’s implementation of the Cybersecurity Act of 2015 “has taken meaningful steps to implement” the provisions of the act “to protect our most sensitive government IT systems,” but that much “more needs to be done to ensure sensitive data about Americans and classified information—whether stored on DHS systems or on contractor IT systems—is more secure from unauthorized access, use and disclosure.”

The IG’s audit though stated DHS “has taken a number of steps to implement provisions in Title IV, Section 406 of the Cybersecurity Act.” While the IG did note that, “DHS and its components can benefit from additional data protection capabilities and policy to help ensure sensitive PII [Personally Identifiable Information] and classified information are secure from unauthorized access, use and disclosure,” and had “not developed policies and procedures to ensure that contractors implement data protection solutions,” it noted that, as required by the act, DHS has “developed enterprise-wide logical access policies and procedures for its National Security Systems (NSS) and other systems that provide access to PII, in accordance with appropriate federal standards; applied its process for authorizing systems to operate to ensure logical access controls are implemented and assessed and ensured multi-factorauthentication for privileged users of unclassified systems, and some NSS; and established software inventory policies, although not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility and digital rights management.”

The IG further stated DHS “has taken a number of steps to implement provisions in Section 406 of the Cybersecurity Act. As required, we examined DHS activities in four key cybersecurity areas. We determined the department has developed enterprise-wide logical access policies and procedures for its NSS and other systems that provide access to PII, in accordance with appropriate federal standards. DHS has applied its process for authorizing systems to operate to ensure logical access controls are implemented and assessed. It has also ensured multi-factor authentication for privileged users of unclassified systems and most NSS.”

The IG’s audit further stated that, “DHS has developed enterprise-wide logical access policies and procedures for its NSS and other systems that provide access to PII, in accordance with appropriate federal standards. DHS issues IT policies and procedures at the unclassified, classified and intelligence system levels. Each department-issued policy is used to ensure compliance with the Federal Information Security Modernization Act, P. L. No. 113-283 (2014), as well as with guidance from the Office of Management and Budget and the National Institute of Standards and Technology. DHS’ logical access policies include security principles and best practices such as password complexity, least privilege and segregation of duties to control system access. For unclassified and ‘Secret’ systems, the department requires two-factor authentication, audit logging capabilities and encryption for sensitive information throughout its transmission.”

“DHS’s logical access practices are driven by the Homeland Security Presidential Directive 12 (2004),” the IG said. “This directive requires multi-factor authentication for logical access through the use of Personal Identity Verification cards issued to its employees and contractors. Personal Identity Verification cards are used for physical access to DHS facilities as well as logical access to its ‘Sensitive But Unclassified’ networks. Moreover, DHS requires the use of security tokens to access the Homeland Secure Data Network, which is used to process and store information classified as ‘Secret.’”

Thompson nevertheless stated, “Cyber criminals, hacktivists and cyber terrorists are constantly seeking to exploit weak points in our IT infrastructure [thus] DHS needs to develop policies and procedures to assure that all DHS components and contractors implement essential data protection solutions.”

Although DHS “has established software inventory policies, not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility and digital rights management [and] had not developed policies and procedures to ensure that contractors implement data protection solutions. DHS components we reviewed generally recognized that additional actions were needed to protect sensitive PII and classified information from unauthorized access, use and disclosure,” the IG stated.

Continuing, the IG said, “DHS and its components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use and disclosure.”

The IG submitted its report for informational purposes to the appropriate congressional oversight committees as required by the act, but due to a lack of specific criteria, the report contained no recommendations.

In its conclusion, the IG stated DHS “has taken a number of steps to implement provisions in Section 406 of the Cybersecurity Act. For example, the department has developed enterprise-wide logical access policies and procedures for its NSSand other systems that provide access to PII, according to appropriate federal standards. DHS ensures logical access controls are implemented and assessed through the security authorization process and has implemented multi-factor authentication for privileged users of unclassified systems and most NSS. Further, the department has established software inventory policies.”

Still, “not all DHS components utilize or have developed policies to ensure contractors implement data exfiltration protection capabilities,” the IG reported.

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

- Advertisement -

Latest Articles