Department of Homeland Security Semiannual Report to the Congress (SAR)
Editor’s Note: In response to today’s release of the Homeland Security Semiannual Report to Congress, GSN will publish selections of the key topics of this semi-annual Report to Congress, starting with “Securing Cyberspace and Information Technology Assets.
SECURING CYBERSPACE AND INFORMATION TECHNOLOGY ASSETS
The Secret Service faces challenges protecting sensitive case management systems and data. Corrective actions are underway to address long-standing information technology (IT) deficiencies. In FY 2016, DHS took steps to enhance its information security program. Although improvements have been made, DHS can strengthen its oversight of its information security program. TSA has undertaken various actions to address the recommendations made in prior OIG reports. However, we did identify two conditions that when corrective action is taken can improve security controls.
What We Found
USSS Faces Challenges Protecting Sensitive Case Management Systems and Data
We found that Secret Service IT management was ineffective. Secret Service IT systems had inadequate security plans, access and audit controls, and privacy protections. Secret Service IT systems also operated with expired authorities to operate, noncompliant logical access requirements, and improper record retention requirements.
Evaluation of DHS' Information Security Program for Fiscal Year 2016
We found that the Department can strengthen its oversight of its information security program. We found components — were not consistently following DHS’ policies and procedures; operated 79 unclassified systems with expired authorities to operate; had not consolidated all internet traffic behind DHS’s trusted internet connections; and had deficiencies in configuration management and continuous monitoring programs.
Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports (Redacted)
TSA has undertaken various actions to address the recommendations made in prior OIG reports. However, we identified two ways to improve security controls: (1) TSA needs to assess the risk of not having redundant data communications capability to sustain operations; and (2) TSA should establish a plan to conduct recurring reviews of security controls nationwide.
The Secret Service has much work to do to make IT a priority. This requires establishing and implementing an IT governance framework that includes addressing IT deficiencies in system security plans, authorities to operate systems, and access and audit controls. DHS reported it is taking corrective actions by actively maintaining a Cybersecurity Review process to keep senior executives informed of planned remedial actions and resolve impediments to improving information security programs. TSA reported it is taking steps to improve security by conducting recurring reviews of security controls.
Semiannual Report to the Congress DHS Response The Secret Service reported it initiated steps in late 2015 to improve its IT program, including centralizing all IT resources under a Chief Information Officer (CIO) and drafting plans for an improved IT governance framework. The new CIO is aware of the severity of these issues and has begun formulating a strategic plan, including corrective actions plans to address long-standing IT deficiencies. DHS reported it plans to maintain a review process to keep senior executives informed of planned remedial actions to improve information security programs. DHS reported it is also developing an annual performance plan to communicate requirements, priorities, and overall goals for its nation security systems. DHS has achieved a 99.4 percent privileged mandatory PIV logon compliance. Efforts will continue to improve and strengthen oversight of Plans of Action & Milestones in enterprise management systems. TSA reported it will suggest DHS incorporate Business Impact Analyses as required artifacts in the DHS Information Assurance Compliance System and risk management framework. TSA will also conduct recurring reviews of operational, technical, and management security controls.
October 1, 2016 – March 31, 2017