Fixing the DHS cybersecurity gap

The Homeland Security Department's inspector general has completed an information security audit of the agency, which shows DHS officials are still struggling with internal cybersecurity issues. But that comes as no surprise to management experts.

The public flogging of DHS and all federal agencies is fine as long as people have reasonable expectations about cybersecurity, said Paul Proctor, vice president of security and risk strategies at the META Group, an information technology and business consulting company.

"I say, keep up the hammering, but recognize that many agencies are doing the work necessary to get there eventually," Proctor said.

The report, released Oct. 27, highlights areas in which DHS officials have improved the department's information security practices and policies. But the overall tone of the report is negative. "We recommend that DHS continue to consider its information systems security program a significant deficiency" for fiscal 2004, the auditors state in the report's summary.

They conducted the information security audit between April and September, according to guidelines set by Office of Management and Budget officials. OMB officials developed the guidelines to help federal agencies comply with the Federal Information Security Management Act of 2002.

The report cites the chief information officer's lack of authority to manage DHS' departmentwide IT programs and spending as a significant factor in the department officials' struggle to secure the agency's information systems. It states that the absence of a formal reporting relationship between the CIO and the program organizations within the department continues to undermine DHS' information security program.

Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium and a former government computer security official, was quick to defend DHS' information security efforts in light of the constraints on its CIO.

"He doesn't have command authority over what is going on in the 27 different agencies in DHS," McNulty said. "Unless they want to give him that, then all he can do is plead with them and offer constructive alternatives, but he has no mechanism to force compliance."

In a written response to the audit, Steve Cooper, DHS' CIO, said he generally concurred with the findings. He also expressed appreciation for what he described as "the open dialogue and strengthened relationship ...that have emerged in the past year" between his office and the inspector general's office.

***

Audit reveals no surprises

A new audit by the Homeland Security Department's inspector general highlights the following areas:

Progress: DHS officials have hired a contractor to develop a methodology for conducting a systems inventory across the 27 agencies that merged in March 2003 to become DHS.

Concern: The department still lacks a comprehensive inventory of its information systems, as required by the Federal Information Security Management Act of 2002.

Source: Homeland Security Department

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.