OCIO

We determined DHS had not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) Program.  DHS spent more than $180 million between 2013 and 2020 to design and deploy a department-wide continuous monitoring solution but faced setbacks.  DHS initially planned to deploy its internal CDM solution by 2017 using a “One DHS” approach that restricted components to a standard set of common tools.  We attributed DHS’ limited progress to an unsuccessful initial implementation strategy, significant changes to its deployment approach, and continuing issues with component data collection and integration.  As of March 2020, DHS had developed a key element of the program, its internal CDM dashboard.  However, the dashboard contained less than half of the required asset management data.  As a result, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time.  Finally, we identified vulnerabilities on CDM servers and databases.  This occurred because DHS did not clearly define patch management responsibilities and had not yet implemented required configuration settings.  Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk.  We made three recommendations for DHS to update its program plan, address vulnerabilities, and define patch management responsibilities

We reviewed DHS’ information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). Our objective was to determine whether DHS’ information security program and practices were adequate and effective in protecting the information and information systems that supported DHS’ operations and assets in fiscal year 2017.

Homeland Security Presidential Directive (HSPD) 12 requires that Federal agencies implement a government-wide standard for secure, reliable identification for their employees and contractors to access facilities and systems. Our objective was to assess DHS’ progress in implementing and managing the HSPD-12 program since our prior audits in 2007 and 2010.  The Department of Homeland Security has not made much progress in implementing and managing requirements of the HSPD-12 program department-wide. Many of the same issues we previously reported in 2007 and 2010 pose challenges today.

We determined that DHS had only approved implementation plans for 4 of 23 strategic objectives of the Enterprise Data Strategy, and planned to finalize the remaining plans in late FY 2017.  While we found that DHS had taken some effective actions to coordinate component investments in data sharing and management, component officials identified other ways that DHS could improve by coordinating Enterprise-wide tools and data integration efforts.  We recommended that DHS take actions to finalize implementation plans for the remaining 19 strategic objectives by the end of FY 2017, and work with components to identify and provide the training for Enterprise-wide data analysis and management tools.  We made two recommendations and Intelligence and Analysis and the Office of the Chief Information Officer concurred with both of our recommendations.