DHS FISMA ratings go up

Image: Casimiro PT / Shutterstock 

The Department of Homeland Security's information security practices have gone from good to better, according to a new inspector general audit.

Measuring via a five-point scale developed through the Federal Information Security Modernization Act, DHS improved its scores for the "protect" (developing and implementing appropriate safeguards of critical services) and "detect" (monitoring for irregular system activity) functions from a three out of five to four. That gives the department a score of four out five in all FISMA cybersecurity functions except "recover," which remains at a three.

The "protect" function encompasses activities like properly configured workstations with core security settings, strong identity and access management controls, a clearly defined data protection and privacy policy and regular security awareness trainings for staff.

Two areas where DHS was dinged: spotty patching and a lack of effective metrics to measure how its networks perform blocking attempts at data exfiltration.

The agency also lacks a clear plan for addressing its cybersecurity workforce gaps, though this criticism could be applied to the federal government as a whole.The Cybersecurity and Infrastructure Security Agency is standing up a new Cyber Talent Management System to improve hiring, and a recent summit hosted by the agency doubled as a job fair, with Director Chris Krebs saying early results indicate it could lead to as many as 200 new hires.

The "detect" function measures how effective an agency is at monitoring its own network and spotting unauthorized or malicious activity. The improvement was largely attributed to adding dozens of software systems to the department's ongoing authorization and continuous monitoring programs in 2018.

One notable caveat: While DHS has a continuous monitoring program for unclassified systems, it "did not have an equivalent process for automated monitoring and scanning" of national security systems departmentwide, relying instead of data calls with component agencies to measure performance. Auditors used department data and internal scorecards to provide an ad-hoc measurement of performance and found a number of issues, such as a lack of testing around contingency planning by component agencies.

Other problems identified in the report include missing procedures for handling sensitive information and a lack of alternate facilities to support recovery efforts in the event of a service disruption.

Auditors made three recommendations to the department's chief information security officer: Better enforce requirements needed to obtain an authority to operate, test contingency plans and invest more resources to address security weaknesses in unclassified and national security systems. All three recommendations are considered resolved and closed.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • innovation (Sergey Nivens/

    VA embraces procurement challenges at scale

    Steve Kelman applauds the Department of Veterans Affairs' ambitious attempt to move beyond one-off prize-based contests to combat veteran suicides more effectively.

  • big data AI health data

    Where did the ideas for shutdowns and social distancing come from?

    Steve Kelman offers another story about hero civil servants (and a good president).

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.