IT modernization

We determined DHS had not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) Program.  DHS spent more than $180 million between 2013 and 2020 to design and deploy a department-wide continuous monitoring solution but faced setbacks.  DHS initially planned to deploy its internal CDM solution by 2017 using a “One DHS” approach that restricted components to a standard set of common tools.  We attributed DHS’ limited progress to an unsuccessful initial implementation strategy, significant changes to its deployment approach, and continuing issues with component data collection and integration.  As of March 2020, DHS had developed a key element of the program, its internal CDM dashboard.  However, the dashboard contained less than half of the required asset management data.  As a result, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time.  Finally, we identified vulnerabilities on CDM servers and databases.  This occurred because DHS did not clearly define patch management responsibilities and had not yet implemented required configuration settings.  Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk.  We made three recommendations for DHS to update its program plan, address vulnerabilities, and define patch management responsibilities

We determined that DHS needs to improve the collection and management of data across its multiple components to better serve and safeguard the public.  The data access, availability, accuracy, completeness, and relevance issues we identified presented numerous obstacles for DHS personnel who did not have essential information they needed for decision making or to effectively and efficiently carry out day-to-day mission operations.  Although DHS has improved its information security program and developed plans to improve quality and management of its data, follow through and continued improvement will be essential to address the internal control issues underlying the data deficiencies highlighted in the report.  We made no recommendations in the summary report.

The DHS Chief Information Officer (CIO) and most component CIOs had conducted strategic planning efforts to help prioritize legacy Information Technology (IT) systems and infrastructure to better accomplish mission goals.  However, due to a lack of standard guidance and funding, not all components have complied with or fully embraced Department-wide IT modernization initiatives to adopt cloud-based computing, and to consolidate data centers.  Meanwhile, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations.  Additionally, DHS has not yet leveraged the Modernizing Government Technology Act mandate to accelerate ongoing IT modernization efforts, as DHS and its components questioned whether the benefits of the Act outweighed the additional effort needed to use the resources provided under the Act.  Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively.  We made three recommendations for the DHS OCIO to develop guidance for implementing cloud technology and migrating legacy IT systems to the cloud, coordinate with components to develop and finalize a data center migration approach, and establish a process to assign risk ratings for major legacy IT investments.  The Department concurred with all three recommendations.