Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

CISA

  • CISA Can Improve Efforts to Ensure Dam Security and Resilience

    Executive Summary

    CISA cannot demonstrate how its oversight has improved Dams Sector security and resilience because CISA has not coordinated or tracked its Dams Sector activities, updated overarching national critical infrastructure or Dams Sector plans, and collected and evaluated performance information on Dams Sector activities.  Furthermore, we found that CISA does not consistently provide information to FEMA to help ensure its assistance addresses the most pressing needs of the Dams Sector.  CISA and FEMA also do not coordinate their flood mapping information.  Finally, CISA does not effectively use the Homeland Security Information Network Critical Infrastructure Dams Portal to provide external Dams Sector Stakeholders with critical information.  We recommended that CISA update the Dams Sector-Specific Plan, its internal organization structures, and establish performance metrics to determine its impact on the Dams Sector.  We also recommended it coordinate with FEMA on its grants and flood mapping systems.  Finally, we recommended CISA implement a strategy to use the HSIN-CI Dams portal to its fullest potential.  We made five recommendations to update CISA’s Sector-Specific Plan, internal organization structures, and coordination with FEMA that, when implemented, will improve dam security and resilience.  CISA concurred with all five recommendations.

    Report Number
    OIG-21-59
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2021
  • DHS Has Made Limited Progress Implementing the Continuous Diagnostics and Mitigation Program

    Executive Summary

    We determined DHS had not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) Program.  DHS spent more than $180 million between 2013 and 2020 to design and deploy a department-wide continuous monitoring solution but faced setbacks.  DHS initially planned to deploy its internal CDM solution by 2017 using a “One DHS” approach that restricted components to a standard set of common tools.  We attributed DHS’ limited progress to an unsuccessful initial implementation strategy, significant changes to its deployment approach, and continuing issues with component data collection and integration.  As of March 2020, DHS had developed a key element of the program, its internal CDM dashboard.  However, the dashboard contained less than half of the required asset management data.  As a result, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time.  Finally, we identified vulnerabilities on CDM servers and databases.  This occurred because DHS did not clearly define patch management responsibilities and had not yet implemented required configuration settings.  Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk.  We made three recommendations for DHS to update its program plan, address vulnerabilities, and define patch management responsibilities

    Report Number
    OIG-21-38
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2021
  • DHS Made Limited Progress to Improve Information Sharing under the Cybersecurity Act in Calendar Years 2017 and 2018

    Executive Summary

    The Cybersecurity and Infrastructure Security Agency (CISA) increased the number of Automated Indicator Sharing (AIS) participants as well as the volume of cyber threat indicators it has shared since the program’s inception in 2016.  However, CISA made limited progress in improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks.  The lack of progress can be attributed to the limited number of AIS participants sharing cyber indicators with CISA, delays in receiving cyber threat intelligence standards, and insufficient staff.  To be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training.  We made four recommendations to CISA to enhance the program’s overall effectiveness and cyber threat information sharing.  CISA concurred with all four recommendations.  

    Report Number
    OIG-20-74
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2020
  • DHS Can Enhance Efforts to Protect Commercial Facilities from Terrorism and Physical Threats

    Executive Summary

    The Cybersecurity and Infrastructure Security Agency (CISA) does not effectively coordinate and share best practices to enhance security across the commercial facilities sector.  Specifically, CISA does not coordinate within DHS on security assessments to prevent potential overlap, does not always ensure completion of required After Action Reports to share best practices with the commercial facilities sector, and does not adequately inform all commercial facility owners and operators of available DHS resources.  This occurred because CISA does not have comprehensive policies and procedures to support its role as the commercial facilities’ Sector-Specific Agency (SSA).  Without such policies and procedures, CISA cannot effectively fulfill its SSA responsibilities and limits its ability to measure the Department’s progress toward accomplishing its sector-specific objectives.  CISA may also be missing opportunities to help commercial facility owners and operators identify threats and mitigate risks, leaving the commercial facilities sector vulnerable to terrorist attacks and physical threats that may cause serious damage and loss of life.  We made three recommendations to improve CISA’s coordination and outreach to safeguard the commercial facilities sector.  CISA concurred with all three recommendations.

    Report Number
    OIG-20-37
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2020
  • Evaluation of DHS' Information Security Program for Fiscal Year 2018

    Executive Summary

    DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

    Report Number
    OIG-19-60
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2019
  • (U) Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2018

    Executive Summary

    We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ overall patch management process and the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities.

     

    We made one recommendation to the Office of Intelligence and Analysis and two recommendations to the Cybersecurity and Infrastructure Security Agency to address the deficiencies identified. DHS concurred with all three recommendations.

    Report Number
    OIG-19-34-UNSUM
    Issue Date
    DHS Agency
    Oversight Area
    Fiscal Year
    2019