Although there are still a number of issues that need to be addressed with the Department of Homeland Security’s information security efforts, the department is improving in many areas and making strong progress toward implementing better security controls, a new report from the Inspector General found.
DHS, which is responsible for a large portion of the security programs in the federal government, has been criticized sharply in the past for not meeting minimum standards on various basic security controls. The IG, as well as members of Congress, have taken the department to task for falling behind on requirements such as patching, implementing strong authentication and exerting better control of external systems. The latest report from the Office of the Inspector General shows that the department is moving in the right direction on many things, but still has plenty of room for improvement.
The report shows that some portions of DHS are running systems with authority to operate, haven’t consolidated all of their Internet connections into one trusted Internet connection and don’t have a formal process for tracking external systems.
“We identified a number of issues that DHS needs to address to strengthen its security posture. For example, we determined that components are not satisfying all of the Department’s information security policies, procedures, and practices. Specifically, we identified deficiencies in component POA&M [plan of action and milestones] management, system security authorization, and the consolidation of external network connections. In addition, components have not implemented all system configurations in accordance with DHS policies and procedures,” the new report says.
One major problem that the IG found in the DHS program, which has been ongoing for at least year, is the department’s lack of management program for tracking security vulnerabilities in its classified systems. The department uses a project management system to track progress on most such initiatives, but the IG found this wasn’t the case for vulnerabilities in classified systems.
“DHS does not monitor the adequacy of the POA&Ms for its ‘Top Secret’ systems. For example, DHS has yet to perform any reviews or oversight functions on ‘Top Secret’ POA&Ms that are manually tracked outside of the Department’s enterprise management tools. As a result, DHS cannot ensure that POA&Ms have been created to mitigate the security vulnerabilities identified on its ‘Top Secret’ systems and ensure they are managed in accordance with DHS’ policies and procedures,” the report says.
A second issue is that DHS doesn’t have baseline configurations enforced on its systems, both on the desktop and servers. The IG report found inconsistent implementation of the configurations and recommended that the department’s CIO ensure that this state of affairs changes. DHS management, commenting on the IG’s recommendations, said that it plans to have this problem addressed by the end of the year.
“During FY 2013, DHS completed major steps toward achieving this goal. There are 11 out of 12 Components now using the approved baseline configuration settings. The rigor of configuration management will be increased in FY 2014 by expanding relevant scorecard metrics to include devices beyond Windows platforms,” the comment said.
Overall, the IG report said that DHS is moving forward with its security programs and making strides toward hardening the department’s internal and external systems.
“DHS continues to improve and strengthen its information security program. During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department’s information systems through a new risk management approach. This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories,” the report says.