DHS agencies don't sustain info security programs, IG says

DHS agencies' monthly FISMA scores peak around annual reporting times and then drop, IG finds

Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.

The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.

Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.

Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.

Skinner focused on seven areas of DHS’ information security program that include system inventory, certification and accreditation processes, configuration management and privacy to accomplish the review.

The evaluation was conducted between April and August 2009. A redacted version of the IG’s findings was released Oct. 14.

The IG said DHS continues to improve and strengthen its security program, but the department’s agencies must better follow DHS’ policies and procedures to ensure all weaknesses are fixed.

The IG recommended DHS’ chief information officer:

  • Improve the department’s Information Security Office’s review process to ensure POA&Ms for all systems are complete, accurate and current.
  • Ensure all controls are included in security documentation when certifying and accrediting systems.
  • Improve the process to ensure DHS baseline configuration requirements are met by all systems.
  • Speed up establishment of a departmentwide program to periodically evaluate the security posture of DHS agencies.
  • Establish appropriate training for DHS employees with significant security responsibilities.
  • Ensure the department’s current plan to put in place the Federal Desktop Core Configuration program meets requirements from the Office of Management and Budget.

Skinner recommended that DHS’ chief privacy officer:

  • Establish a process for dealing with PIAs that have been in the review and approval process for an extended period.
  • Define the consequences of not complying with privacy-related rules.

In response, DHS officials agreed with the recommendations and outlined steps it has already taken to deal with them.

About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group