Fixing the DHS cybersecurity gap

The Homeland Security Department's inspector general has completed an information security audit of the agency, which shows DHS officials are still struggling with internal cybersecurity issues. But that comes as no surprise to management experts.

The public flogging of DHS and all federal agencies is fine as long as people have reasonable expectations about cybersecurity, said Paul Proctor, vice president of security and risk strategies at the META Group, an information technology and business consulting company.

"I say, keep up the hammering, but recognize that many agencies are doing the work necessary to get there eventually," Proctor said.

The report, released Oct. 27, highlights areas in which DHS officials have improved the department's information security practices and policies. But the overall tone of the report is negative. "We recommend that DHS continue to consider its information systems security program a significant deficiency" for fiscal 2004, the auditors state in the report's summary.

They conducted the information security audit between April and September, according to guidelines set by Office of Management and Budget officials. OMB officials developed the guidelines to help federal agencies comply with the Federal Information Security Management Act of 2002.

The report cites the chief information officer's lack of authority to manage DHS' departmentwide IT programs and spending as a significant factor in the department officials' struggle to secure the agency's information systems. It states that the absence of a formal reporting relationship between the CIO and the program organizations within the department continues to undermine DHS' information security program.

Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium and a former government computer security official, was quick to defend DHS' information security efforts in light of the constraints on its CIO.

"He doesn't have command authority over what is going on in the 27 different agencies in DHS," McNulty said. "Unless they want to give him that, then all he can do is plead with them and offer constructive alternatives, but he has no mechanism to force compliance."

In a written response to the audit, Steve Cooper, DHS' CIO, said he generally concurred with the findings. He also expressed appreciation for what he described as "the open dialogue and strengthened relationship ...that have emerged in the past year" between his office and the inspector general's office.


Audit reveals no surprises

A new audit by the Homeland Security Department's inspector general highlights the following areas:

Progress: DHS officials have hired a contractor to develop a methodology for conducting a systems inventory across the 27 agencies that merged in March 2003 to become DHS.

Concern: The department still lacks a comprehensive inventory of its information systems, as required by the Federal Information Security Management Act of 2002.

Source: Homeland Security Department


  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

  • Cloud
    DOD cloud

    DOD's latest cloud moves leave plenty of questions

    Speculation is still swirling about the implications of the draft solicitation for JEDI -- and about why a separate agreement for cloud-migration services was scaled back so dramatically.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.