The Office of Inspector General (OIG) has rated the Department of Homeland Security’s (DHS) information security program for FY 2021 as “not effective”. DHS was of course primarily focused on a significant cyber event during FY 2021 and faced significant challenges as it diverted resources to respond to the SolarWinds incident.
To receive an “effective” rating, agencies must achieve a “Level 4 – Managed and Measurable” in three of the five functions outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. DHS received “Level 4 – Managed and Measurable” in the Protect function, “Level 3 – Consistently Implemented” in the Identify, Detect, and Respond functions, and “Level 2 – Defined” in the Recover function.
OIG’s rating of “not effective” was based on the watchdog’s evaluation of DHS’ compliance with the Federal Information Security Modernization Act (FISMA) requirements on unclassified and National Security Systems.
OIG found six deficiencies:
- Systems in use without an authority to operate.
- Known information security weaknesses not mitigated in a timely manner.
- Security patches not applied timely to mitigate critical and high-risk security vulnerabilities on selected workstations and network equipment.
- One component running an unsupported operating system on its network equipment.
- Inaccurate reporting of metrics in monthly scorecards and FISMA quarterly submissions.
- Outdated information technology security guidance that contradicts other DHS policies.
DHS components are responsible for developing and periodically testing contingency plans outlining backup and disaster recovery procedures for the respective information systems. However, according to OIG, as of June 2021, the Cybersecurity and Infrastructure Security Agency, DHS HQ, the Federal Emergency Management Agency, U.S. Immigration and Customs Enforcement, Transportation Security Administration, and U.S. Citizenship and Immigration Services had not tested contingency plans for 24 of 568 unclassified systems.
OIG also found weaknesses in DHS’ security training. Components are required to ensure all employees and contractors receive annual IT security awareness training, as well as specialized training for employees with significant responsibilities. But OIg determined that DHS did not demonstrate that its security awareness and training program was properly resourced per the FY 2021 FISMA Reporting Metrics. Although DHS has assessed the knowledge, skills, and abilities of its cyber workforce, OIG found it has not yet finalized a strategy to address identified gaps outlined in its Cybersecurity Workforce Strategy.
To address the deficiencies, OIG has recommended that DHS enforce requirements for components to obtain authority to operate, resolve critical and high-risk vulnerabilities, and apply sufficient resources to mitigate security weaknesses. DHS concurred and said it has initiated efforts to standardize the Department’s Ongoing Authorization program across all components. This effort will migrate most of the Department’s systems to Ongoing Authorization, which is intended to improve security control oversight, while reducing the administrative burden of authority to operate renewals. Further work is underway to address high-risk vulnerabilities by improving visibility through custom queries of the Department’s Continuous Diagnostics and Monitoring data for the critical vulnerabilities reported to be actively exploited. Also, the DHS Vulnerability Assessment Team, in coordination with the components, has developed tailored protection and discovery mechanisms for emerging vulnerabilities. DHS envisages completing work to address OIG’s first recommendation within the next two months.
Following its review, OIG also called for DHS to strengthen the review and validation process to ensure accurate security information is reported in the monthly scorecards and the Chief Information Officer’s quarterly submission to the Office of Management and Budget. DHS acknowledged that an administrative oversight resulted in government-issued mobile devices being incorrectly reported as personally-owned mobile devices and that this information was included in the DHS Monthly FISMA scorecard until the issue was discovered and corrected. In response to this incident, DHS restructured the process by which component inputs are incorporated into the scorecard to include monthly component cross checks, along with additional analysis and reviews. Altogether, DHS said this revised scorecard production process has reduced the opportunity for human error to impact future monthly scorecards. OIG has marked this recommendation as resolved and closed as a result of DHS’s corrective actions.
Finally, OIG recommended that the Department revise DHS 4300A Policy, Handbook, and Ongoing Authorization methodology to incorporate applicable changes from NIST Special Publications, including SP 800-37, Revision 2, SP 800-53 Revision 5, and SP 800-137A to maintain consistency between the documents. DHS concurred and said that DHS 4300A, Sensitive Systems Handbook, dated November 15, 2015, is currently undergoing a significant update to better align with applicable Federal mandates, DHS Management Directive standards, and industry common practices, including the documents mentioned in OIG’s recommendation. The update had been hindered by the SolarWinds incident response but DHS expects it will be complete by the end of FY 2022.
