The Office of Inspector General (OIG) has reviewed the Department of Homeland Security’s (DHS) information security program for compliance with Federal Information Security Modernization Act of 2014 requirements. OIG’s objective was to determine whether DHS’ information security program and practices adequately and effectively protected data and information systems supporting DHS’ operations and assets for FY 2020.
OIG rated DHS’ information security program effective, with a maturity rating of “Managed and Measurable” (Level 4) in three of five functions. During the review, OIG identified: systems operating without authority to operate; known information security weaknesses not promptly mitigated; security configuration settings not implemented for all systems; and use of an unsupported operating system and not applying security patches promptly.
In May 2020, the Department of Homeland Security (DHS) formally documented its risk acceptance to allow the United States Coast Guard to meet Federal Information Security Modernization Act of 2014 (FISMA) requirements according to Department of Defense, rather than DHS, reporting requirements. Therefore, when evaluating the overall effectiveness of the DHS information security program for FY 2020 FISMA, OIG’s rating does not include the Coast Guard. Also, the watchdog’s rating of DHS’ program is contingent on the Department’s completion of its corrective actions to our prior recommendations, such as revising its information security policies and procedures to reflect senior leadership’s approval of Coast Guard’s FISMA reporting to the Department of Defense and communicating the decision, in writing, to the Office of Management and Budget and selected congressional oversight committees.
OIG’s report made four recommendations to DHS, with which the Department concurred:
- The DHS Chief Information Officer should enforce requirements for components to obtain authority to operate and resolve critical and high-risk vulnerabilities, implement required configuration settings, and apply sufficient resources to mitigate security weaknesses for both their unclassified systems and national security systems.
The Department stated that the DHS CIO holds monthly meetings with component CIOs to discuss remedial actions and resolve impediments to improving components’ information security program metrics. DHS CIO will continue to work with component CIOs in this forum to develop additional strategies for compliance with planned remedial actions addressing areas such as security authorization and weakness remediation. In addition, DHS CIO will work with component CIOs to reduce high-risk vulnerabilities, ensure prompt installation of software patches, and eliminate unnecessary services for unclassified and national security systems. Estimated Completion Date: June 30, 2022.
- The DHS S&T Chief Information Officer should strengthen the component’s information security program by establishing necessary policies and procedures according to the NIST Cybersecurity Framework.
The Department stated that the S&T CIO recognizes the value of the NIST Cybersecurity Framework in helping to strengthen the cybersecurity program. As such, the S&T CIO is in the process of establishing the recommended policies and procedures. Further, the S&T CIO is working to add three other policies from the NIST Cybersecurity Framework to enhance and support the S&T Cybersecurity efforts. Specifically: (1) S&T 1 ID.RM-001, Information Security Policy, (2) S&T 1 ID.RM-002, Information Security Risk Management Policy, and (3) S&T 1 ID.RM003, Risk Assessment Policy. Estimated Completion Date: September 30, 2021.
- The Secret Service Chief Information Officer should strengthen the component’s information security program by establishing necessary policies and procedures according to the NIST Cybersecurity Framework.
Since the first quarter of FY 2021, the Secret Service’s Office of the Chief Information Officer (OCIO) staff have undertaken significant efforts to formally review, update, and create enterprise policies and standard operating procedures and ensure they align to Federal statute and regulation, Department policy, and NIST guidelines, as appropriate. For example, the OCIO has updated 9 of 44 of the OCIO policies. During FY 2022, the OCIO will evaluate the remaining 35 policies and determine which ones should be removed as no longer applicable to the Secret Service’s operations, require substantial updates, or require minor updates. The Secret Service’s leadership believes that policies and procedures benefit from continuous improvement and is committed to periodically review this guidance, as appropriate. Estimated Completion Date: September 30, 2023.
- The FEMA Chief Information Officer should strengthen the component’s oversight to sustain its information security program on a year-round, continuous basis and maintain Security Authorization and Plan of Action and Milestones (POA&Ms) remediation status.
Throughout the past year, FEMA’s OCIO staff took action to improve the information security program, security authorization status for high value assets, non-high value assets, and related POA&Ms remediation efforts. FEMA OCIO’s POA&M remediation efforts have also drastically improved the quality of POA&M development and reduced the number of expired POA&Ms. FEMA’s goal is to reduce expired POA&MS to zero and maintain a status of green for the Weakness Remediation metric. FEMA is taking the necessary actions to improve its information security program and cybersecurity risk posture for the agency. Estimated Completion Date: March 31, 2022.