Secret Service

DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. KPMG noted that the financial statements present fairly, in all material respects, DHS’ financial position as of September 30, 2018.

KPMG issued an adverse opinion on DHS’ internal control over financial reporting of its financial statements as of September 30, 2018. The report identifies the following six significant deficiencies in internal control, the first two of which are considered material weaknesses, and four instances where DHS did not comply with laws and regulations.

The Department faces challenges to effectively sharing cyber threat information across Federal and private sector entities. Without acquiring a cross-domain information processing solution and automated tools, DHS cannot analyze and share threat information timely. Further, without enhanced outreach, DHS cannot increase participation and improve coordination of information sharing across Federal and private organizations.

 

Most of the deficiencies identified by the independent public accounting firm KPMG, LLP were related to access controls, segregation of duties, and configuration management.  The deficiencies collectively limited USSS’ ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability.  We recommend that USSS, in coordination with the Department of Homeland Security’s Chief Information Officer and Acting Chief Financial Officer, make improvements to USSS’ financial management systems and associated information.

The Protective Mission Panel (PMP) made a number of recommendations in its December 2014 classified report.  The objective of this review was to determine whether the Secret Service has taken or plans to take action to implement the PMP’s classified recommendations, which primarily relate to security gaps and vulnerabilities at the White House Complex (WHC).  The Secret Service has clearly taken these recommendations seriously.  Using funding appropriated for PMP initiatives, the Secret Service began enhancing security and refreshing technology at the WHC.  Fully implementing many of the PMP’s classified recommendations will depend on staff increases, sustained funding, and a multi-year commitment by Secret Service and Department leadership to ensure actions continue even during times of increased protective mission demands and unexpected priorities.  We made no recommendations in this report.

We determined that the U.S. Secret Service has clearly taken the Protective Mission Panel’s (PMP) recommendations seriously, which it has demonstrated by making a number of significant changes.  Specifically, it has improved communication within the workforce, better articulated its budget needs, increased hiring, and committed to more training.  However, fully implementing many of the PMP’s recommendations will require long-term financial planning, further staff increases, consistent re-evaluation of the initiated actions’ effectiveness, and a multi-year commitment by Secret Service and Department of Homeland Security leadership.  We have made five recommendations.

We determined that CBP, ICE and USSS have been able to maintain staffing levels close to the authorized number of law enforcement personnel, but they continue to have significant delays in hiring. The additional steps in the hiring process add to the time it takes to hire law enforcement officers, but the components also do not have the staff or comprehensive automated systems needed to hire personnel as efficiently as possible.  Although they have taken steps to reduce the time it takes to hire law enforcement personnel, it is too early to measure the long-term effects of the Department’s and the components’ recent actions. We made five recommendations to make the law enforcement hiring process more efficient.

We determined that the U.S. Secret Service (USSS) did not have adequate protections in place on systems to which Master Central Index (MCI) information was migrated.  These problems occurred because USSS has not consistently made IT management a priority.  The USSS Chief Information Officer (CIO) lacked authority for all IT resources and was not effectively positioned to provide necessary oversight, inadequate attention was given to updating USSS IT policies, and high turnover and vacancies within the Office of the CIO meant a lack of leadership to ensure IT systems were properly managed.  In addition, USSS personnel were not adequately trained to successfully perform their duties. We made 10 recommendations to USSS and 1 recommendation to the DHS Privacy Office to reduce the risk of future unauthorized access and disclosure of sensitive information. The USSS and the DHS Privacy Officer concurred with these recommendations.