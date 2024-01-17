Department of Homeland Security components did not consistently apply information technology (IT) access controls to ensure only authorized personnel had access to systems, networks, and information. This capping report summarizes access control practices and deficiencies reported in three components — U.S. Citizenship and Immigration Services (USCIS), Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE) — over the last 12 months.

We determined USCIS, FEMA, and ICE did not consistently manage or remove access when personnel separated or changed positions. Also, USCIS, FEMA, and ICE did not take all necessary steps to ensure privileged user access was appropriate and that service accounts were adequately secured. These deficiencies stemmed from insufficient internal controls and oversight to ensure access controls were administered appropriately.

In addition to access control deficiencies, we found that USCIS, FEMA, and ICE did not implement all required security settings and updates for their IT systems. This occurred because the components were concerned these IT controls might negatively impact operations. We also found that DHS’ information security framework did not include the latest Federal requirements for access controls. DHS’ overall security posture relies on all components to implement effective IT access controls. Therefore, it is critical for USCIS, FEMA, and ICE to complete the corrective actions needed to fully address the deficiencies and the remaining 24 open recommendations made in our three prior reports.

Read the report here: OIG-24-11