The Department of Homeland Security’s (DHS) Office of Inspector General (OIG) on Monday released its semiannual report to Congress, and outside of recurring calls for better cyber threat information sharing, improvements to identity access management, and concerns about U.S. Coast Guard (USCG) IT acquisitions, the report appears to be free of major IT red alerts within the agency. The report covers the period from October 2017 to March 2018.
That first concern–over cyber threat data sharing–responds to requirements of the Cybersecurity Act of 2015. OIG found that DHS had met the requirements of the legislation, but said the agency still “faces challenges to effectively share cyber threat information across Federal and private sector entities.”
“The system DHS uses does not provide the high-quality, contextual data needed to effectively defend against ever-evolving threats,” the report continues.
To remedy that, DHS’s National Cybersecurity and Communications and Integration Center is working to implement “Automated Indicator Sharing” to help organizations–such as those in the private sector–overcome technical, resource, or cultural issues that make sharing data difficult or undesirable.
The second concern–over identity access management–responds to Homeland Security Presidential Directive-12 (HSPD-12), which requires development of a government-wide standard for secure and reliable identification for Federal employees and contractors.
OIG said DHS “has not made much progress in implementing requirements” of HSPD-12 and noted the agency is facing particular challenges with physical access controls for facilities, and ensuring termination of cards for separated employees.
DHS said it will coordinate risk assessments for its information systems, and implement personal identity verification-enablement for its unclassified systems.
The third notable IT concern – regarding Coast Guard IT acquisitions – states that USCG approved around $1.8 billion in IT procurements from 2014 to 2016, but doesn’t know if close to 400 of its systems are receiving proper acquisition oversight.
OIG said that USCG acquisition and IT review operate independently of one another, that IT investments lack proper oversight controls, and that there is an overall lack of reliable data on acquisitions.
DHS said that USCG is reviewing those gaps and putting new processes in place to revise its acquisition process.
The issues OIG flagged in the report highlight areas of possible improvement for IT operations management and interdepartmental collaboration, but generally represent ongoing development challenges seen across agencies.
That the report did not highlight any glaring discrepancies in DHS’s IT operations could be a positive sign as the agency continues its role coordinating cybersecurity efforts for all the major civilian agencies in the Federal enterprise.