The Department of Homeland Security (DHS) continues to use unsupported operating systems that may expose agency data to unnecessary risks, according to a recent evaluation issued by the DHS Office of Inspector General (OIG).
DHS OIG released an evaluation of the agency’s information security program on Jan. 18. The evaluation assesses the DHS information security program’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014. FISMA requires that each agency develop its own security program to protect data and information systems.
The evaluation reflects that DHS needs increased oversight of its information security program. Over the past two years, the undersecretary of management ordered DHS to strengthen its cybersecurity defenses through measures such as consolidating the agency’s traffic in trusted connections, using personal identity verification cards (PIV), retiring all discontinued operating systems and servers, and hosting training sessions on phishing.
Although OIG’s report stated that DHS has started many of these efforts, it also reveals that the agency delayed releasing its “Fiscal Year 2016 Information Security Performance Plan” and has yet to establish a metric system for its “secret” system scorecards. DHS OIG also uncovered deficiencies in configuration management, continuous monitoring, and contingency planning.
“Without addressing these deficiencies, the Department cannot ensure that its systems are properly secured to protect the sensitive information stored and processed in them,” the DHS OIG report states. “While improvements have been made, the Department can strengthen its oversight of its information security program.”
DHS also needs to accurately report its software assets, the evaluation states. All 12 of DHS’s components are required to report their systems, but Customs and Border Protection (CBP), the National Protection and Programs Directorate (NPPD), the Transportation Security Administration (TSA), the United States Coast Guard (USCG), and the United States Secret Service (USSS) have not done so.
OIG also conducted a vulnerability assessment of eight systems across six DHS components, and found that several servers were running on outdated systems that should have been updated in 2012.
The evaluation presents four recommendations for DHS. OIG recommends the chief information security officer maintain the process for reporting remedial actions to senior executives, create an annual performance plan for security systems, ensure that all privileged access holders use PIV cards, and strengthen information security officer oversight. DHS concurred with all four recommendations.