Audit: DHS makes progress (but not much) in IT security


Written by

The Department of Homeland Security has made significant progress in meeting the demands of the administration’s cybersecurity priorities but needs to do more, according to the department’s inspector general.

In a report released Thursday, the IG detailed an IT audit that looked at the full scope of the department, measuring various benchmarks attached to the 2014 Federal Information Security Management Act.

Among the positives the IG found were various performance plans put into place by DHS Chief Information Security Officer Jeff Eisensmith, including updated and revised metrics specifically tailored to measuring anti-phishing and malware, which provide better insight security plans and continuous monitoring efforts.

Additionally, the report found that three offices — the Office of the Inspector General, U.S. Citizenship and Immigration Services and the Transportation Security Administration — protected 100 percent of their high-value assets and mission-essential systems, while six of the 10 department sub-agencies exceeded the 95 percent goal for protecting all other FISMA-related systems.

Among the flaws the report finds is continued use of Windows XP, which Microsoft stopped supporting in April 2014. Various DHS offices are still working to fully remove XP from their systems, but some instances still are in use, including on workstations at the Federal Emergency Management Agency, that leave top secret data vulnerable.

Additionally, the IG found that 203 enterprise systems carrying sensitive but unclassified information were operating without an authority to do so, over half of which are managed by FEMA.

The report recommends that DHS build upon the progress made in 2015 by tightening the screws on monthly reporting, including data on classified systems in metrics reports to the Office of Management and Budget, and keeping better tabs on PIV card implementation.

You can read the full report below.

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

-In this Story-

FEMA, FISMA, Government IT News, Homeland Security, Inspector General