DHS agencies don't sustain info security programs, IG says
DHS agencies' monthly FISMA scores peak around annual reporting times and then drop, IG finds
Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.
The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.
Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.
Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.
Skinner focused on seven areas of DHS’ information security program that include system inventory, certification and accreditation processes, configuration management and privacy to accomplish the review.
The evaluation was conducted between April and August 2009. A redacted version of the IG’s findings was released Oct. 14.
The IG said DHS continues to improve and strengthen its security program, but the department’s agencies must better follow DHS’ policies and procedures to ensure all weaknesses are fixed.
The IG recommended DHS’ chief information officer:
- Improve the department’s Information Security Office’s review process to ensure POA&Ms for all systems are complete, accurate and current.
- Ensure all controls are included in security documentation when certifying and accrediting systems.
- Improve the process to ensure DHS baseline configuration requirements are met by all systems.
- Speed up establishment of a departmentwide program to periodically evaluate the security posture of DHS agencies.
- Establish appropriate training for DHS employees with significant security responsibilities.
- Ensure the department’s current plan to put in place the Federal Desktop Core Configuration program meets requirements from the Office of Management and Budget.
Skinner recommended that DHS’ chief privacy officer:
In response, DHS officials agreed with the recommendations and outlined steps it has already taken to deal with them.
Ben Bain is a reporter for Federal Computer Week.