DHS agencies don't sustain info security programs, IG says

DHS agencies' monthly FISMA scores peak around annual reporting times and then drop, IG finds

Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.

The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.

Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.

Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.

Skinner focused on seven areas of DHS’ information security program that include system inventory, certification and accreditation processes, configuration management and privacy to accomplish the review.

The evaluation was conducted between April and August 2009. A redacted version of the IG’s findings was released Oct. 14.

The IG said DHS continues to improve and strengthen its security program, but the department’s agencies must better follow DHS’ policies and procedures to ensure all weaknesses are fixed.

The IG recommended DHS’ chief information officer:

  • Improve the department’s Information Security Office’s review process to ensure POA&Ms for all systems are complete, accurate and current.
  • Ensure all controls are included in security documentation when certifying and accrediting systems.
  • Improve the process to ensure DHS baseline configuration requirements are met by all systems.
  • Speed up establishment of a departmentwide program to periodically evaluate the security posture of DHS agencies.
  • Establish appropriate training for DHS employees with significant security responsibilities.
  • Ensure the department’s current plan to put in place the Federal Desktop Core Configuration program meets requirements from the Office of Management and Budget.

Skinner recommended that DHS’ chief privacy officer:

  • Establish a process for dealing with PIAs that have been in the review and approval process for an extended period.
  • Define the consequences of not complying with privacy-related rules.

In response, DHS officials agreed with the recommendations and outlined steps it has already taken to deal with them.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.