DHS officials did not consult users and skipped key security measures as it developed the Homeland Secure Data Network, the inspector general says.
The Homeland Secure Data Network isn't so secure, according to the Homeland Security Department's inspector general.
"DHS' methods for collecting and confirming user requirements prior to contract award did not lead to assurance that user needs at the 600 sites will be met," according to the April report from Richard Skinner, acting inspector general for DHS.
HSDN is a much-touted network for sharing classified data with 600 law enforcement and intelligence agencies. But in its current state, Skinner said he doubts that the network "will satisfy users' functional and security needs, and adequately protect classified information."
Congress, as part of the supplemental Defense Department funding bill approved last week, froze all money to the network until DHS provides the House and Senate Appropriations committees with a report of all funds obligated to HSDN in fiscal 2004 and fiscal 2005.
The supplemental bill also requires the CIO office to give both appropriations committees an analysis that shows how HSDN is more cost effective than alternative plans considered before DHS started building the network.
But DHS officials say that all the problems the report describes have been fixed and that the network is up and running. "We absolutely feel it is secure," said Larry Orluskie, a spokesman for DHS.
Officials for DHS accredited the network on April 22, the day it went live, Orluskie said. It is currently used by 30 sites, although the schedule for opening it to the remaining constituents hasn't been determined yet, he said.
Skinner's office reviewed the program, estimated to cost $337 million, between August and November 2004. The system is intended to improve information sharing among federal, state, and local agencies.
The report found that the CIO office held few meetings with stakeholders and developers to determine what HSDN needed to accomplish. For example, only two meetings with CIOs in the department were held. Furthermore, the report found, no documentation exists that shows that the CIOs accepted acquisition and design requirements for the program.
Orluskie disagreed, saying that the department had a sufficient number of quality meetings with stakeholders to develop the system properly.
Skinner also found that HSDN missed most of its deadlines, including its scheduled December 2004 implementation date. Of 41 key tasks the CIO's office listed for completing the program, the IG found, 30 out of 40 missed their delivery dates.
And 28 out of the 41 had not been completed at all. Most of the missing elements were critical cybersecurity measures to protect the network and its data, including vulnerability assessments, security evaluations, and systems certifications.
The report stated that misunderstanding fueled DHS' haste. In March 2004, DHS officials had the impression that the Defense Department would cut its access to the Secret Internet Protocol Router Network, or SIPRNET, DOD's secure network, by Dec. 31, 2004. Steve Cooper, the Homeland Security Department's CIO at the time, decided to accelerate the development of the network to meet that deadline.
The report noted, however, that the manager of SIPRNET said the Pentagon had no intention of cutting off DHS. The military would instead gradually phase out services once HSDN was up and running, the report said.
Skinner recommended that the CIO office include users more frequently as the system requirements are defined and verify that all necessary actions are done before officially launching the system.
In a written response to the report, Cooper stated that his office agreed with the report's findings. He wrote that he had assigned a staff member to a "senior position" to make sure that HSDN users participate in planning the project in the future. He also wrote that HSDN would meet all DHS accreditation and certification requirements before deployment.
NEXT STORY: OPM offers incentives