DHS watchdog digs into uneven cyber awareness training, outdated policies

The Department of Homeland Security can do more to protect itself from malware, ransomware and phishing attacks, its watchdog office says in a recent report. 

The Aug. 22 report covers results of an audit done from 2020 to early 2022 that reaches back to training data from fiscal year 2019. It points specifically to internal DHS policies and procedures that need to be updated to cover the latest cybersecurity standards, as well as uneven cybersecurity awareness training for DHS employees.

DHS does have "multiple layers of defense" like "specific tools and technologies to further detect and prevent security events on component systems and to help protect DHS' network communication and data," but its "policies and procedures do not reflect the latest cybersecurity standards," the report says.

The department, though, says that the report doesn't give a "complete context regarding the actions taken, on-going and planned to mature the Department's Cybersecurity Awareness Training Program."

Jim Crumpacker, director of the DHS Departmental GAO-OIG Liaison Office, pointed to an enterprise plan released in May that he says will address existing gaps and National Institute of Standards and Technology requirements and require components to create their own training plans, as well as an updated working group that's already helped with new, role-based minimum training standards approved for the department in July. Crumpacker wrote in reply comments that he was concerned that "cold readers" of the report would not get a complete picture of efforts underway at DHS to improve cyber training. 

The office of the inspector general responded in the report that they first learned of these actions in that July 28 management response included in the report, and wasn't told about them during the audit or briefings on findings.

The report says that DHS cybersecurity guidance needs to be updated to the latest standards from the National Institute of Standards and Technology on recovery from adverse events, maintaining operations during malware, ransomware and phishing attacks and protecting data. The Office of Management and Budget requires agencies to comply with NIST standards within a year of their publication.

The inspector general also dug into cybersecurity awareness training for DHS employees.

Of the DHS components audited, seven of eight "did not comply with the requirements for annual cybersecurity awareness training," not always guaranteeing that all users had done the training, the report states. In fiscal year 2019, two components — one of which is DHS headquarters – had less than a 50% completion rate for their annual training. 

The inspector general also found that across the department, "the components did not consistently educate users on the risks of malware, ransomware, and phishing attacks."

DHS doesn't have any "centralized process" to track cyber training records, and components within the department are in charge of their own programs, the report says. 

The audit also found that only half of the components reviewed did semi-annual phishing exercises in 2019 and 2020, with three components including DHS' headquarters not doing any phishing exercises those years at all.

"Until DHS revises its policies and procedures to reflect the latest NIST standards, the Department cannot ensure it will be able to quickly detect, respond to, and recover from a cybersecurity attack," the report says. "Also, until DHS personnel are educated about the risks associated with malware, ransomware, and phishing attacks, DHS cannot ensure its sensitive information is secured."