A Nov. 21 inspector general report has shone a light on IT security shortcomings within the Department of Homeland Security, highlighting how current security initiatives aren’t meeting expectations of information security policies, procedures and practices.
The biggest issue in the department is the lack of current and basic security measures with IT systems, especially systems containing classified information.
On top of that, department components are continuing to operate information systems with expired authority to operate. As of May 2013, there were 47 systems operating with ATO, 13 of which have been operating without ATO for more than one year. Seventeen classified systems are currently operating without ATO.
This news rankled some members of Congress.
“This report shows major gaps in DHS’ own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” Sen. Tom Coburn, R-Okla., said in a statement.
DHS’ goal for security authorization score was 95 percent; as of June 2013, it was at 79 percent. DHS also has not performed any quality reviews on the security authorization artifacts that make sure necessary security controls are in place for the department’s “top secret” systems.
With most governmentwide and DHS cross-agency priority goals, such as trusted Internet connections, consolidation, TIC capabilities and continuous monitoring, DHS and government are neck and neck. With strong authentication, the government is at 74 percent whereas DHS is at 50 percent.
Another area of weakness the report highlights is the monitoring of plan of action and milestones, known as POA&Ms. Guidance from the Office of Management and Budget requires POA&Ms to be completed in a timely manner, while DHS requires their completion within six months.
For example, components haven’t incorporated all known information security weaknesses into POA&Ms for DHS’ unclassified systems, and DHS has also not established a formal process tracking its external information systems. Both issues were previously reported in fiscal year 2012.
“The fact is the federal government’s classified and unclassified networks are dangerously insecure, putting at risk not only U.S. national security, but the nation’s critical infrastructure and vast amounts of our citizens’ personally identifiable information,” Coburn said.
However, about 10 percent of open POA&Ms are scheduled to take more than two years to remediate, according to the report.
The IG laid out several recommendations for the chief information security officer in this report, including ensuring all operational information systems have current authorization to operate, establishing enterprisewide security training, improving the POA&M review and implementation process and strengthening the oversight process on the department’s more classified systems.