DHS agencies don't sustain info security programs, IG says

DHS agencies' monthly FISMA scores peak around annual reporting times and then drop, IG finds

Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.

The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.

Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.

Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.

Skinner focused on seven areas of DHS’ information security program that include system inventory, certification and accreditation processes, configuration management and privacy to accomplish the review.

The evaluation was conducted between April and August 2009. A redacted version of the IG’s findings was released Oct. 14.

The IG said DHS continues to improve and strengthen its security program, but the department’s agencies must better follow DHS’ policies and procedures to ensure all weaknesses are fixed.

The IG recommended DHS’ chief information officer:

  • Improve the department’s Information Security Office’s review process to ensure POA&Ms for all systems are complete, accurate and current.
  • Ensure all controls are included in security documentation when certifying and accrediting systems.
  • Improve the process to ensure DHS baseline configuration requirements are met by all systems.
  • Speed up establishment of a departmentwide program to periodically evaluate the security posture of DHS agencies.
  • Establish appropriate training for DHS employees with significant security responsibilities.
  • Ensure the department’s current plan to put in place the Federal Desktop Core Configuration program meets requirements from the Office of Management and Budget.

Skinner recommended that DHS’ chief privacy officer:

  • Establish a process for dealing with PIAs that have been in the review and approval process for an extended period.
  • Define the consequences of not complying with privacy-related rules.

In response, DHS officials agreed with the recommendations and outlined steps it has already taken to deal with them.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.