IG: DHS lax on portable device security controls

Related Links

IG report

The Homeland Security Department has not deployed effective controls on portable storage devices that may be attached to its unclassified computer systems, according to an audit report from DHS Inspector General Richard Skinner released today.

“DHS has not implemented effective controls to restrict unauthorized devices from being connected to DHS’ unclassified systems,” the audit stated.
.
The proliferation of portable storage devices that include external hard drives, flash drives and jump drives has been recognized as a risk for computer security. If unauthorized devices are connected to a federal network, that may result in unauthorized access or theft of sensitive information.

During the audit, which was performed from February to May, the IG identified unauthorized data storage devices connected to departmental servers and workstations at 11 DHS component agencies, though it was not clear whether the devices were functioning or whether data had been transferred from those devices.

Skinner also found that DHS' component agencies have not complied with the Office of Management and Budget’s M-06-16 requirements issued two years ago as controls on devices to protect against the unauthorized access to federal data.

Only five of the 11 agencies implemented two-factor authentication, which typically uses both a password and a security token, and none have implemented controls to ensure that data extracts are erased in 90 days or when no longer needed, the audit stated.

Department officials agreed with most of the recommendations, but did not concur with the finding on OMB M-06-16. DHS officials said they were preparing to implement those requirements based on risk and cost analysis.

Skinner said the fixes are overdue. “We maintain our position that it has been two years since OMB’s mandated milestone has elapsed and that DHS should ensure controls outlined in OMB M-06-16 are implemented expeditiously,” he wrote.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.