The Department of Homeland Security and the civilian agencies that receive its binding operational directives (BODs) must do more to ensure that those cybersecurity mandates are followed in full and on time, according to a new Government Accountability Office report.
GAO audited the five-step BOD process across the five directives that were in effect as of December 2018, at a random sample of 12 civilian agencies. The congressional watchdog agency found that DHS doesn’t always coordinate with stakeholders when developing directives or consistently validate agencies’ self-reported actions toward addressing the mandates.
“DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion,” reads the report.
The Federal Information Security Modernization Act of 2014 (FISMA) gives DHS the authority to issue BODs, which require agencies to do things like better secure their websites or email systems, lest they remain vulnerable to cyberattacks. Since 2015, DHS has issued eight BODs.
While DHS has started holding regular coordination meetings with the National Institute of Standards and Technology — which provides governmentwide expertise for cybersecurity policies — the GAO says the department often only reached out to NIST one to two weeks before issuing a BOD and ignored technical comments.
DHS, as a result, risked writing directives that conflicted with NIST guidance, GAO says.
A 2015 BOD gives agencies 30 days to mitigate critical vulnerabilities uncovered by DHS scans of their internet-accessible systems. Agencies achieved 87% compliance in 2017, though that number dropped to 85% in 2018 and 61% in 2019 — the decline attributed to the 35-day partial government shutdown from late December 2018 to late January 2019.
Still, about 2,500 vulnerabilities out of 3,600 discovered were mitigated through four years.
Agencies also mitigated risks to more than 11,000 devices after DHS issued the 2016 Threat to Network Infrastructure Devices directive having them address several “urgent vulnerabilities” targeting firewalls across federal networks.
GAO recommended DHS determine when to coordinate with stakeholders when developing directives, as well as develop a strategy for validating agencies’ self-reported actions — using a risk-based approach when possible.
Two other recommendations pertained to DHS’s Securing High Value Assets directive, which is designed to protect agencies’ most critical information and systems.
DHS leads in-depth assessments of high-value assets that agencies identify, but GAO found its performance metric didn’t allow agencies to submit remediation plans when a weakness couldn’t be addressed within the BOD’s 30-day timeframe. GAO recommended realigning the metric.
In fiscal 2018, DHS only completed 61 of 142 required high-value asset assessments, and in fiscal 2019 that number was 73 out of 142 assessments — leaving 150 remaining. DHS has no schedule for completing a reassessment of the program.
DHS also doesn’t plan to finalize guidance for agencies, contractors and independent assessors on conducting reviews of assets not included in its review until the end of fiscal 2020.
GAO recommended developing a schedule and plan for addressing these outstanding issues and identifying the resources it needs. DHS concurred with all four recommendations.