DHS tackles backlog of unauthorized IT systems

The Department of Homeland Security's inspector general patted the agency on the back for its progress in cybersecurity training and stronger security practices, but it said the agency is still fielding IT systems without required authority to operate certification and has some continuous monitoring risk management issues to address.

The IG's report said the agency had taken "significant" steps to get behind DHS Secretary Jeh Johnson's January 2016 memo requiring component agencies to step up their cybersecurity measures, including training for employees and contractors, using two-factor authentication for its classified network and reporting security metrics.

However, the IG report, issued on Jan. 18, said 79 of the agency's unclassified networks lacked current authorities to operate.

Still, this represents an improvement over fiscal year 2015, when 203 systems were operating without the needed approvals.

The Federal Emergency Management Agency managed to reduce its number of non-ATO systems from 111 in 2015 to 15 in 2016, it said. On the other hand, Customs and Border Protection's total of non-ATO systems rose from eight in fiscal 2015 to 12 in 2016, according to the report.

Agency components have improved their reporting under the continuous monitoring Ongoing Authorization  program, it said. The program conducts security authorizations of systems on an ongoing basis using real-time data from Continuous Diagnostics and Monitoring sensors to determine risks. DHS has been a role model for setting up OA across the federal government.

As of July 2016, the report said 96 systems from seven DHS components (CBP, headquarters, Immigration and Customs Enforcement, the Federal Law Enforcement Training Center, the IG's office, Transportation Security Administration and Citizenship and Immigration Services) had signed up for the OA. Only 82 systems were enrolled in OA in fiscal 2015.

The report made four recommendations to address the gaps it found. They included:

• Keeping the agency's senior executives informed on agencies that are lagging behind on implementation.
• Instituting an annual performance plan on requirements, priorities and overall goals for national security systems.
• Accelerating the use of personal identity verification cards for all privileged access account holders.
• Strengthening oversight to ensure component agencies are following their plans of action and milestones for classified and unclassified enterprise management systems.

DHS concurred with all of the recommendations.