DHS agencies don't sustain info security programs, IG says

DHS agencies' monthly FISMA scores peak around annual reporting times and then drop, IG finds

Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.

The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.

Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.

Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.

Skinner focused on seven areas of DHS’ information security program that include system inventory, certification and accreditation processes, configuration management and privacy to accomplish the review.

The evaluation was conducted between April and August 2009. A redacted version of the IG’s findings was released Oct. 14.

The IG said DHS continues to improve and strengthen its security program, but the department’s agencies must better follow DHS’ policies and procedures to ensure all weaknesses are fixed.

The IG recommended DHS’ chief information officer:

  • Improve the department’s Information Security Office’s review process to ensure POA&Ms for all systems are complete, accurate and current.
  • Ensure all controls are included in security documentation when certifying and accrediting systems.
  • Improve the process to ensure DHS baseline configuration requirements are met by all systems.
  • Speed up establishment of a departmentwide program to periodically evaluate the security posture of DHS agencies.
  • Establish appropriate training for DHS employees with significant security responsibilities.
  • Ensure the department’s current plan to put in place the Federal Desktop Core Configuration program meets requirements from the Office of Management and Budget.

Skinner recommended that DHS’ chief privacy officer:

  • Establish a process for dealing with PIAs that have been in the review and approval process for an extended period.
  • Define the consequences of not complying with privacy-related rules.

In response, DHS officials agreed with the recommendations and outlined steps it has already taken to deal with them.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.