DHS FISMA ratings go up

The Department of Homeland Security's information security practices have gone from good to better, according to a new inspector general audit.

Measuring via a five-point scale developed through the Federal Information Security Modernization Act, DHS improved its scores for the "protect" (developing and implementing appropriate safeguards of critical services) and "detect" (monitoring for irregular system activity) functions from a three out of five to four. That gives the department a score of four out five in all FISMA cybersecurity functions except "recover," which remains at a three.

The "protect" function encompasses activities like properly configured workstations with core security settings, strong identity and access management controls, a clearly defined data protection and privacy policy and regular security awareness trainings for staff.

Two areas where DHS was dinged: spotty patching and a lack of effective metrics to measure how its networks perform blocking attempts at data exfiltration.

The agency also lacks a clear plan for addressing its cybersecurity workforce gaps, though this criticism could be applied to the federal government as a whole.The Cybersecurity and Infrastructure Security Agency is standing up a new Cyber Talent Management System to improve hiring, and a recent summit hosted by the agency doubled as a job fair, with Director Chris Krebs saying early results indicate it could lead to as many as 200 new hires.

The "detect" function measures how effective an agency is at monitoring its own network and spotting unauthorized or malicious activity. The improvement was largely attributed to adding dozens of software systems to the department's ongoing authorization and continuous monitoring programs in 2018.

One notable caveat: While DHS has a continuous monitoring program for unclassified systems, it "did not have an equivalent process for automated monitoring and scanning" of national security systems departmentwide, relying instead of data calls with component agencies to measure performance. Auditors used department data and internal scorecards to provide an ad-hoc measurement of performance and found a number of issues, such as a lack of testing around contingency planning by component agencies.

Other problems identified in the report include missing procedures for handling sensitive information and a lack of alternate facilities to support recovery efforts in the event of a service disruption.

Auditors made three recommendations to the department's chief information security officer: Better enforce requirements needed to obtain an authority to operate, test contingency plans and invest more resources to address security weaknesses in unclassified and national security systems. All three recommendations are considered resolved and closed.