The IT networks that connect airport x-ray machines and other passenger and luggage screening equipment suffer from a plethora of continuing security problems, according to an audit released Thursday.
There are “numerous deficiencies” in the way the Transportation Security Administration manages the networks, says the report, by Department of Homeland Security Inspector General John Roth. Examples given in the redacted report include failure to keep software patched up to date and other violations of DHS’ IT guidelines.
“Failure to comply with these guidelines increases the risk that baggage screening equipment will not operate as intended, resulting in potential loss of confidentiality, integrity, and availability of TSA’s automated explosive, passenger, and baggage screening programs,” the audit said.
The list of problems goes on — Roth said the administration has inadequate disaster recovery, physical and environmental control deficiencies, poor vulnerability reporting and oversight, and a variety of server and data management issues.
In short, TSA greatly mismanaged the Security Technology Integrated Program, or STIP, the “data management system that connects airport transportation security equipment to servers,” the audit said.
For example, STIP uses the outdated Windows Server 2008 operating system, even though DHS guidelines required them to upgrade to Windows Server 2012. The TSA also gave non-DHS airport employees access to the servers and did not test its IT security controls.
The OIG reported similar STIP issues in four previous reports, the earliest dating back to 2012.
The TSA agreed with each of OIG’s recommendations but acknowledged the difficulty of improving STIP. The administration already stopped staff members from preventing software patches and began working to include cybersecurity requirements in the procurement process, according to the report. Also, the TSA announced Monday a $90 million contract with engineering consultant TASC Management to perform IT testing and evaluation.
“Like other unique equipment in service across the government, original [transportation security equipment] development was not created with current cyber security threats in mind,” TSA Administrator Peter Neffenger said. “As such, retrofitting these mission-essential tools with up-to-date cybersecurity capabilities designed for current traditional IT systems is extremely challenging and resource intensive.”
Contact the reporter on this story via email: Jeremy.Snow@FedScoop.com. Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here: fdscp.com/sign-me-on.