The Office of Inspector General (OIG) has reviewed the Department of Homeland Security’s (DHS) information security program for compliance with the Federal Information Security Modernization Act of 2014 (FISMA) requirements and rated it “effective”.
OIG based this rating on its evaluation of DHS’ compliance with the FISMA requirements on unclassified and National Security Systems, for which DHS improved its maturity level in three functions compared to FY 2021. DHS received “Level 4 – Managed and Measurable” in the Identify, Protect, Respond, and Recover functions, and a “Level 3 – Consistently Implemented” in the Detect function.
FISMA requires federal agencies to develop, document, and implement agency-wide information security programs. Each program should protect the data and information systems supporting the operations and assets of the agency, including those provided or managed by another agency, contractor, or source.
In the areas where DHS has improved, OIG found further room for improvement which the watchdog said could be achieved by focusing on centralized risk management practices, increasing training and education, revising its policies and procedures to incorporate applicable new controls, and fully testing its contingency plans.
OIG also identified six deficiencies based on its evaluation and testing:
- Systems were operating without an Authority to Operate and without Contingency Plan Testing.
- Plans of Action and Milestones used to mitigate known information security weaknesses were past due or not updated.
- Security configuration settings were not implemented for all systems tested.
- Some components had identity and access weaknesses.
- An unsupported version of a Windows operating system was running on a component workstation.
- Some components did not promptly apply security patches to mitigate critical and high-risk security vulnerabilities on selected systems tested.
OIG is also concerned that DHS has not resolved its identified knowledge, skills, and abilities gaps of its cyber workforce and says the Department cannot ensure its employees possess the knowledge and skills necessary to perform job functions, or that qualified personnel are hired to fill cybersecurity-related positions.
OIG is making one recommendation to DHS as a result of this latest review, which is that the DHS Chief Information Officer (OCIO) enforce the requirements for components to obtain Authority to Operate their systems, promptly use sufficient resources to create and monitor Plans of Action and Milestones to mitigate known information security weaknesses, and ensure contingency plans are tested.
DHS concurred and also addressed the deficiencies that OIG found. For example, the Department said it has increased its centralized patching capability to reach 88 percent of all DHS. OCIO has prioritized increasing the adoption of centralized patching capability so that it reaches 100 percent of DHS endpoints. DHS estimates this will be completed by September 30, 2023.