Several Department of Homeland Security (DHS) agencies aren’t performing as well as they should when it comes to information security, concluded DHS Inspector General (IG) Richard Skinner, whose office evaluated the department’s information security program for fiscal year 2008.
The IG found agencies such as Immigration and Customs Enforcement, Customs and Border Protection, Management Directorate and the Federal Emergency Management Agency aren’t following through on some DHS protection programs.
"The department continues to improve and strengthen its security program," Skinner wrote. "While these efforts have resulted in some improvements, components are still not executing all of the department’s policies, procedures and practices."
The IG review is required under the Federal Information Management Systems Act (FIMSA) of 2002.
The IG evaluated DHS’ progress in implementing an agency-wide information security program, including its Plan of Action and Milestones (POA&M), its certification and accreditation (C&A) process, and its privacy program. The POA&M includes a process for reporting and capturing security weaknesses.
Several of the shortcomings highlighted this year were spotted three years ago.
Problems then included a lack of a system inventory, lack of a formal reporting structure between the CIO and organizational components, lack of a verification process for FISMA performance metrics, and security weaknesses.
This year, issues include: Systems not being accredited through key documents, and key information are missing; POA&Ms not being created for all known security weaknesses; POA&M weaknesses not being mitigated fast enough; and baseline security configurations not being implemented for all systems.
The OIG said some systems were being accredited without key documents or information – like detailed emergency configuration changes and incident handling procedures – the latter of which helpsagency officials make credible, risk-based decisions on whether to authorize the systems to operate.
It also found:
- 19 instances where contingency plans were incomplete
- 3 instances where contingency plans had not been tested
- 11 instances where some of the required critical security controls weren’t included in the system test and evaluation plan
- 9 systems were reported incorrectly as E-Authentication application in DHS’ enterprise management tool, which may have skewed the accuracy of DHS’ systems inventory
- FEMA, ICE, Management and CBP didn’t create sufficient POA&Ms
- Many information system security managersand officers are not keeping current logs of how they’re fixing security weaknesses
- The DHS Training Office doesn’t yet have a good enough training program for employees and contractors with "significant IT security responsibilities."
- The Privacy Office is experiencing delays in reviewing and approving privacy impact assessments
Some DHS officials note that the agencies lagging a bit are huge entities that span the globe.
The chief information security officer (CISO) and chief privacy officer at DHS concurred with the IG’s findings, but assured the department is taking many steps to address the problems.
The Privacy Office, for example, is working to complete the PII [Personally Identifiable Information] Handbook by the end of 2008 to inform department employees, senior officials and contractors of their obligations to protect information and what to do if it’s lost or compromised. Also to be produced is a "consequences" document as it relates to PII.
"Upon completion of both, all offices will work together on a training program to educate employees, contractors, and others impacted by the requirement," wrote DHS Chief Privacy Officer Hugo Teufel III.
CISO Robert West said is implementing metrics to more effectively measure how to implement a an enterprise-wide vulnerability assessment program, and, on personnel training, "the department has begun establishing training objectives by security role …the scope is to address the highest risk positions first and continue from there."
DHS, as a whole, is making improvement. The agency received a “B+” on the FISMA compliance report card issued by Congress in May, for FY2007 – up from a “D” the year before. It received an “F” in 2005.
But some scorecard critics say the government’s eye is on the wrong ball.
"They are measuring the wrong thing – compliance – when they should be measuring security effectiveness," said SANS Institute Research Director Allen Paller. "They do it because the White House makes them. So doing badly on the scores is fundamentally irrelevant."
Legislation drafted in the Senate this year, S. 3474, the "Federal Information Security Management Act of 2008," would demand agencies buy security built into products rather than adding it later to save on money and delays, and require agencies to reach a government-wide agreement on baseline information security measures to thwart attacks. Attack-based metrics would have to be agreed upon.
Paller said the new FISMA legislation – which he thinks has a "good chance" to pass – could improve information security procedures and practices overall.
"The White House measuring attack-based metrics while making NIST [National Institute of Standards and Technology] guidance optional instead of mandatory so agencies can focus on security instead of compliance" would also help, he added.
Liza Porteus Viana writes regularly for HSToday.us and HSToday.