IG: DHS lax on portable device security controls

Related Links

IG report

The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today.

“DHS has not implemented effective controls to restrict unauthorized devices from being connected to DHS’ unclassified systems,” the audit stated.
.
The proliferation of portable storage devices that include external hard drives, flash drives and jump drives has been recognized as a risk for computer security. If unauthorized devices are connected to a federal network, that may result in unauthorized access or theft of sensitive information.

During the audit, which was performed from February to May, the IG identified unauthorized data storage devices connected to departmental servers and workstations at 11 DHS component agencies, though it was not clear whether the devices were functioning or whether data had been transferred from those devices.

Skinner also found that DHS' component agencies have not complied with the Office of Management and Budget’s M-06-16 requirements issued two years ago as controls on devices to protect against the unauthorized access to federal data.

Only five of the 11 agencies implemented two-factor authentication, which typically uses both a password and a security token, and none have implemented controls to ensure that data extracts are erased in 90 days or when no longer needed, the audit stated.

Department officials agreed with most of the recommendations, but did not concur with the finding on OMB M-06-16. DHS officials said they were preparing to implement those requirements based on risk and cost analysis.

Skinner said the fixes are overdue. “We maintain our position that it has been two years since OMB’s mandated milestone has elapsed and that DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously,” he wrote.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.