The Department of Homeland Security’s (DHS) Office of Inspector General (OIG) released a report Wednesday saying that despite improvements, it recommends the department take four further steps to strengthen the oversight of its information security program.
The report found that while DHS has taken actions to strengthen the information security program, components are still not consistently following DHS policies and procedures to maintain current or complete information on remediating security weaknesses timely.
The OIG reviewed DHS’s information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA), seeking to determine if the department’s information security program is adequate, effective, and complies with FISMA requirements. The law requires agency chief information officers (CIO) coordinate with senior agency officials to report annually to agency heads on the effectiveness of the information security program. Then the OIG must independently evaluate the effectiveness of the agency’s information security programs and practices annually.
The report cited improvements including increased security training and exercises to employees and contractors, implementing endpoint protection solutions and two-factor authentication on DHS’ classified network, identifying more remediation security weaknesses in the previous year, and as of May 2016 all Components were reporting information security metrics to the Department to allow it to better evaluate security posture.
However, the OIG also found that despite this progress program components “were not consistently following DHS’ policies and procedures to maintain current or complete information on remediating security weaknesses timely.” It noted the components operated 79 unclassified systems with expired authorities to operate, has not consolidated all internet traffic behind the DHS’ trusted internet connections, and continued to use unsupported operating systems that may expose department data to unnecessary risks.
The report also identified deficiencies related to configuration management and continuous monitoring.
“Without addressing these deficiencies, the Department cannot ensure that its systems are adequately secured to protect the sensitive information stored and processed in them,” the OIG said.
The findings made four recommendations to DHS Chief Information Security Officer (CISO) Jeffrey Eisensmith to remedy these problems:
- Maintain the process for informing Dept. senior executives on planned remedial actions to improve Components’ information security programs that consistently lagged behind in key performance metrics on the FY 2016 information scorecard;
- institute an annual performance plan to communicate requirements, priorities, and overall goals for national security systems (Secret and Top Secret);
- expedite the implementation of strong authentication by ensuring the use of PIC cards by all privileged access account holders; and
- strengthen ISO oversight to ensure that Components track and maintain POA&Ms in the Department’s classified and unclassified enterprise management systems as required.
The department concurred with all four recommendations and Sondra McCauley, assistant Inspector General of the Office of Information Technology Audits, write in a memo attached to the report for Eisensmith that “based on information provided in the Department’s response to the draft report, we consider recommendations 1, 2, 3 and 4 open and resolved.” The Office of the CISO is directed to submit a formal closeout letter to the OIG after implementing the recommendations, accompanied with evidence of completion of the corrective actions.