The Department of Homeland Security’s (DHS) information security program is below the effective level in three of five areas based on federal guidelines, although the department is taking corrective actions to meet requirements, according to an internal audit report.

The department met Level 3 maturity levels for the protect, detect and recover cyber security functions while meeting Level 4—effective—levels in two other functional categories outlined in the National Institute of Standards and Technology Cybersecurity Framework, the DHS Inspector General (IG) said in a report earlier this month. Level 3 refers to “consistently implemented” a particular function.DHS Logo DHS

The two areas where DHS achieved the targeted level of effectiveness in its cyber security protections were identify, which refers to understanding risks to systems and data, and recover, which requires having plans in place for resilience and restoring capabilities and service should a cyber event occur. Level 4 is defined as “managed and measurable.”

Level 5 is the highest level and means cyber security functions are “optimized.”

President Donald Trump last May directed all federal departments and agencies to implement the NIST Cybersecurity Framework, which was developed through a public and private sector collaboration during the Obama administration. That same month, the White House Office of Management and Budget provided the government with implementation guidance for the framework. In August, DHS outlined its implementation plans, saying its top two risks are “’obsolete operating systems and hardware,’ and ‘cybersecurity workforce recruitment, retention, and training,’” for fulfilling the president’s order, the IG said.

The IG conducted its review based on instructions contained in the Federal Information Security Modernization Act (FISMA) of 2014.

“Based on this year’s FISMA results, additional oversight is needed for the department to improve in ensuring that components comply with federal and DHS information security policy,” the IG said, adding that throughout the department’s 15-year history, “components have not effectively managed and secured their information systems.” The report said that department components continue to operate information technology systems without the proper authorities, have used unsupported operating systems, haven’t properly used processes designed to manage risks, and “failed to apply security patches timely.”

The report said that DHS has resolved all five of the IG’s recommendations but is waiting for the department to provide documentation for four of them to demonstrate it has completed its corrective actions before closing these recommendations.