DHS tackles backlog of unauthorized IT systems
- By Mark Rockwell
- Jan 20, 2017
The Department of Homeland Security's inspector general patted the agency on the back for its progress in cybersecurity training and stronger security practices, but it said the agency is still fielding IT systems without required authority to operate certification and has some continuous monitoring risk management issues to address.
The IG's report said the agency had taken "significant" steps to get behind DHS Secretary Jeh Johnson's January 2016 memo requiring component agencies to step up their cybersecurity measures, including training for employees and contractors, using two-factor authentication for its classified network and reporting security metrics.
However, the IG report, issued on Jan. 18, said 79 of the agency's unclassified networks lacked current authorities to operate.
Still, this represents an improvement over fiscal year 2015, when 203 systems were operating without the needed approvals.
The Federal Emergency Management Agency managed to reduce its number of non-ATO systems from 111 in 2015 to 15 in 2016, it said. On the other hand, Customs and Border Protection's total of non-ATO systems rose from eight in fiscal 2015 to 12 in 2016, according to the report.
Agency components have improved their reporting under the continuous monitoring Ongoing Authorization program, it said. The program conducts security authorizations of systems on an ongoing basis using real-time data from Continuous Diagnostics and Monitoring sensors to determine risks. DHS has been a role model for setting up OA across the federal government.
As of July 2016, the report said 96 systems from seven DHS components (CBP, headquarters, Immigration and Customs Enforcement, the Federal Law Enforcement Training Center, the IG's office, Transportation Security Administration and Citizenship and Immigration Services) had signed up for the OA. Only 82 systems were enrolled in OA in fiscal 2015.
The report made four recommendations to address the gaps it found. They included:
- Keeping the agency's senior executives informed on agencies that are lagging behind on implementation.
- Instituting an annual performance plan on requirements, priorities and overall goals for national security systems.
- Accelerating the use of personal identity verification cards for all privileged access account holders.
- Strengthening oversight to ensure component agencies are following their plans of action and milestones for classified and unclassified enterprise management systems.
DHS concurred with all of the recommendations.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.