The Office of Inspector General (OIG) has found that the Department of Homeland Security (DHS) has not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) program.
In 2013, the Office of Management and Budget required federal agencies to establish an Information Security Continuous Monitoring program to identify and respond to emerging cyber threats. DHS established the Continuous Diagnostics and Mitigation program to help agencies monitor and manage cybersecurity vulnerabilities.
OIG’s audit found that DHS spent more than $180 million between 2013 and 2020 to design and build a department-wide continuous monitoring solution but faced setbacks.
DHS initially planned to deploy its internal CDM solution in three phases by 2017 using a “One DHS” approach that restricted components to a standard set of common tools. After this attempt was unsuccessful, DHS adopted a new acquisition strategy in 2019, shifting to a capability-driven implementation approach, pushing the deadline to 2022, and allowing components to utilize existing tools to collect CDM data.
As of March 2020, DHS had developed an internal CDM dashboard, but OIG found it had reported less than half of the required asset management data. Efforts were still underway to automate and integrate the data collection process among components so DHS could report additional data, as required.
The watchdog said DHS now needs to upgrade its dashboard to ensure sufficient processing capacity for component data.
A Department official told OIG that the existing platform did not have adequate capacity to process the high volume of DHS’ data from its numerous components. This occurred because the dashboard was developed with software that could not handle the data volume. To address this concern, DHS planned to build a new agency dashboard on a more robust platform. Officials expect the new dashboard platform will meet increased demand. The new platform will also provide better performance, visualization, and data analytics. At the conclusion of OIG’s audit, the Department had not finalized its implementation plans and schedule, but some DHS officials expected the new agency dashboard would be operational by early 2021.
In addition, OIG notes in its June 1 report that its audit identified vulnerabilities on CDM servers and databases, which were due to DHS not clearly defining patch management responsibilities and not implementing required configuration settings. Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk.
In December 2018, the Government Accountability Office (GAO) reported on how agencies protect and secure Federal IT systems. GAO reported that DHS was in the process of enhancing CDM capabilities of federal agencies to automate network monitoring for malicious activity. According to GAO, the CDM program planned to: deploy Phase 1 tools by March 2019; deploy Phase 2 tools by September 2019; and achieve full operating capability of Phases 1, 2, and 3 by September 2022. But GAO found that by June 2018, most agencies developing CDM capabilities had not fully implemented any of the CDM phases and the program was behind schedule. Further, officials at most agencies indicated the need for additional CDM training and guidance. CDM phase deployment delayed agency implementation, at least in part.
And in August 2020, GAO reported on DHS’ oversight of the Federal government wide CDM program. GAO disclosed challenges the agencies identified in implementing the requirements, as well as the steps DHS took to address these challenges. GAO concluded that involvement in the CDM program improved network awareness of the three agencies. However, none of them had effectively implemented all key CDM program requirements. For example, none of the agencies had fully implemented requirements for managing their hardware.
GAO’s review considered the government wide CDM program, whereas OIG’s audit focused on DHS’s implementation of its internal CDM program.
OIG made three recommendations in its June 1 report. First, that CDM program plan be updated to demonstrate the agency dashboard can be transitioned to a scalable platform, ensure components use tools that meet requirements, set appropriate deadlines, and integrate component data. Second, to mitigate the vulnerabilities identified on the CDM information technology assets. And finally, to define patch management responsibilities for the Continuous Diagnostics and Mitigation information technology assets.
DHS concurred with all three recommendations and stated that it transitioned the Department’s dashboard to a scalable platform on January 6, 2021. It added that the vulnerabilities highlighted had been corrected in 2019 and OIG is awaiting vulnerability assessment re-scans in order to close the recommendation.
With regards to the third recommendation, DHS responded that it had defined patch management responsibilities for CDM IT assets as part of its Continuous Monitoring as a Service System Security Plan (SSP), dated July 6, 2016. DHS requested that the OIG consider this recommendation resolved and closed, as implemented. OIG reviewed the 2016 and the later 2019 SSP and found that both documents outline roles and responsibilities for “operations personnel” to remediate vulnerabilities. However, when asked about the findings, DHS headquarters personnel told OIG there was confusion about who was responsible for addressing database vulnerabilities. In particular, personnel did not know whether the contractor supporting DHS’ Continuous Monitoring as a Service or the data center hosting the infrastructure was responsible for addressing database vulnerabilities. Ultimately, OIG found that although the SSPs defined responsibilities in a generalized manner, they were not specific enough to alleviate confusion.