The Department of Homeland Security has made progress on cybersecurity training and improving its information security, the agency’s inspector general said in a report released earlier this month. However, the agency can make additional enhancements to its IT security practices and is still using IT systems without the required authority to operate, the report found.
DHS components have made “significant progress in remediating security weaknesses identified, compared to the same period last year,” according to the report, and it noted that, as of May 2016, all DHS components were “reporting information security metrics to the department, enabling DHS to better evaluate its security posture.”
DHS Makes Cybersecurity Enhancements
The report noted that the agency has taken actions to strengthen its information security program. For example, in January 2016, the DHS undersecretary for management issued a memorandum requiring agency components to enhance DHS cybersecurity defenses.
Specifically, that memo required DHS components to establish the capability to perform searches for compromise indicators within 24 hours of detected suspicious network activity, remove users’ administrative privileges on workstations connected to the networks, and require two-factor authentication for all users accessing the Department’s Homeland Secure Data Network.
DHS components also had to provide additional training as part of the agency’s annual security awareness training to educate users on phishing schemes and how to prevent them. Further, employees and contractors who had not completed the training within the required time frame would have their network accounts disabled.
DHS components were also told to establish programs to raise employee awareness about the threat of social engineering, including semiannual tests and spear phishing exercises for all privileged users, all users of high-value assets, and a representative sample of the remaining population. DHS components were instructed as well to implement technology (such as initial operational capability) to prevent the activation of malicious links or attachments in phishing emails.
Still Room for Improvement on Cybersecurity
Despite the progress made, agency components “were not consistently following DHS’ policies and procedures to maintain current or complete information on remediating security weaknesses timely,” the report found. DHS components were operating 79 unclassified systems with expired authorities to operate. Still, according to FCW, “this represents an improvement over fiscal year 2015, when 203 systems were operating without the needed approvals.”
FCW reports: “The Federal Emergency Management Agency managed to reduce its number of non-ATO systems from 111 in 2015 to 15 in 2016, it said. On the other hand, Customs and Border Protection's total of non-ATO systems rose from eight in fiscal 2015 to 12 in 2016, according to the report.”
Additionally, the report found that DHS components had not consolidated all internet traffic behind the agency’s trusted internet connections and continued to use unsupported operating systems that might “expose DHS data to unnecessary risks.”
The inspector general’s report also identified “deficiencies related to configuration management and continuous monitoring. Without addressing these deficiencies, the department cannot ensure that its systems are adequately secured to protect the sensitive information stored and processed in them.”
Agency components have improved their reporting under the continuous monitoring Ongoing Authorization program, the report found. “The program conducts security authorizations of systems on an ongoing basis using real-time data from Continuous Diagnostics and Monitoring sensors to determine risks,” FCW notes.
“The report made four recommendations to address the gaps it found. They included:
- Keeping the agency's senior executives informed on agencies that are lagging behind on implementation.
- Instituting an annual performance plan on requirements, priorities and overall goals for national security systems.
- Accelerating the use of personal identity verification cards for all privileged access account holders.
- Strengthening oversight to ensure component agencies are following their plans of action and milestones for classified and unclassified enterprise management systems.
DHS concurred with all of the recommendations.”