The Department of Homeland Security has a defense-in-depth approach to cybersecurity across the enterprise that includes a number of tools and technologies to detect and prevent threats, share information and maintain situational awareness but has shortcomings when it comes to training its employees on best practices and keeping up with current guidance, the department’s inspector general (IG) says in a report issued last week.

Despite DHS requirements for annual cybersecurity awareness training, a sampling to evaluate compliance showed that in seven of the department’s eight operational components, not all users completed the training, says the report, DHS Can Better Mitigate the Risks Associated with Malware, Ransomware, and Phishing Attacks (OIG-22-62).

The Federal Emergency Management Agency was the one component in fiscal years 2019 and 2020 where the all of the sampled users completed their cybersecurity awareness training, the report says. Customs and Border Protection, U.S. Citizenship and Immigration Services, the Transportation Security Administration, and Immigration and Customs Enforcement showed strong compliance rates in both years.

While DHS headquarters’ training results were poor in FY ’19, results were strong in FY ’20, the IG report shows.

The Federal Law Enforcement Training Center was the worst performer in terms of the percent of users that completed their training followed by the Coast Guard, which showed strong improvement in FY ’20, the report shows.

The IG also says that DHS hasn’t updated its cybersecurity policy guidance, pointing out that its Sensitive Systems Handbook and Concept of Operations Strategy “did not reflect the latest cybersecurity standards put forth by” the National Institute of Standards and Technology in various special publications.

The DHS Office of the Chief Information Officer, which is responsible for protecting information networks within the department, agreed with all of the IG’s recommendations.