Despite the progress the Department of Homeland Security (DHS) made in taking actions to strengthen its information security program, not all components in Fiscal Year 2016 “consistently follow[ed] DHS’s policies and procedures to maintain current or complete information on remediating security weaknesses [in a] timely [manner],” according to a new DHS Inspector General (IG) audit report. “Components operated 79 unclassified systems with expired authorities to operate,” the IG found.
“Further,” the IG reported, “components had not consolidated all Internet traffic behind the department’s trusted Internet connections and continued to use unsupported operating systems that may expose DHS data to unnecessary risks.”
Continuing, the IG said, “We also identified deficiencies related to configuration management and continuous monitoring. Without addressing these deficiencies, the department cannot ensure that its systems are adequately secured to protect the sensitive information stored and processed in them.”
In January 2016, the Under Secretary for Management issued a memorandum that required all components to enhance DHS’s Cyber Defense by providing security training and exercises to employees and contractors, and implementing endpoint protection solutions and two-factor authentication on DHS’s classified network. The components have made significant progress in remediating security weaknesses identified, compared to the same period last year,” the IG noted, adding, “as of May 2016, all components were reporting information security metrics to the department, enabling DHS to better evaluate its security posture.”
The IG recommended to the Chief Information Security Officer that DHS “further strengthen its oversight” of its information security program in the areas of continuous monitoring, plan of action and milestones, security authorization and configuration management.
DHS concurred with all four recommendations.
The IG stated that, based on information provided in DHS’s response to the IG’s draft report, the IG “consider recommendations 1, 2, 3 and 4 open and resolved, and directed that, “Once your office has fully implemented the recommendations [to] submit a formal closeout letter to us within 30 days so that we may close the recommendations. The memorandum should be accompanied by evidence of completion of agreed-upon corrective actions.”
The IG’s review of DHS’s information security program is in accordance with the Federal Information Security Modernization Act (FISMA) of 2014. The IG’s “objective was to determine whether DHS’s information security program is adequate, effective and complies with FISMA requirements.
