Watchdog finds sensitive DHS systems vulnerable to hackers

The Department of Homeland Security has been running 136 sensitive or top-secret programs without the proper authorizations, a watchdog report has found, leaving...

The Department of Homeland Security has been running more than 100 sensitive or top-secret programs without the proper authorizations, a watchdog report found, leaving the agency vulnerable to hackers.

Through an audit of the agency’s information security practices, the DHS Office of Inspector General said the department has been running 136 programs — some classified as “top secret” and secret  — with expired authorizations.

“Without addressing these deficiencies, the Department cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them,” the Office of Inspector General said in its report.

In a letter to agency CIO Jeffery Eisensmith, the inspector general’s office concluded that while DHS had been developing some positive cybersecurity habits, it has also failed to report data about its classified systems to the Office of Management and Budget, which monitors FISMA compliance.

The report found the Coast Guard incorrectly reported its records on two-factor authentication compliance with the Defense Information Systems Agency, rather than with DHS.

The report did note that seven DHS components — including the Federal Emergency Management Agency and Customs and Border Protection — met the OMB cyber sprint goal of requiring  its workforce to use personal identity verification (PIV) cards to log on to access agency records.

 

Number of component systems operating without valid authorizations
Component Number of systems
Customers and Border Protection 14
 DHS Headquarters 11
Federal Emergency Management Agency (FEMA) 25
Federal Law Enforcement Training Centers 4
Immigration and Customs Enforcement (ICE) 7
National Protection and Programs Directorate 10
Science and Technology 7
Transportation Security Administration 10
Coast Guard 26
Citizenship and Immigration Services 3
Secret Service 2

DHS agreed with five of the report’s six recommendations:

1. Set up a process in which senior DHS officials are notified when actions are taken to improve information security programs that have been lagging behind. Top DHS officials should also be notified when components failed to report compliance records under FISMA.

2. Improve the FISMA reporting process to ensure that DHS’ classified system data  gets included in the agency’s monthly information security scorecard, and gets submitted to OMB.

3. Strengthen DHS’ oversight of its component’s information security programs to ensure year-long compliance with FISMA requirements.

4. Strengthen information security office oversight to ensure that components maintain plans of action and milestones in DHS’ classified and unclassified enterprise management systems.

5. Perform quality reviews to ensure that the data on information security programs is accurate.

6. Ensure that the information reported in DHS’ monthly scorecards is accurate.

The agency disagreed with recommendation #2, on the grounds that its classified system data falls under different disclosure procedures.

 

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories