I&A

Since our FY 2020 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices.  We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems.  However, we identified deficiencies in DHS’ protect and recover functions.  We made three recommendations to I&A to address the deficiencies identified, and I&A concurred with all three recommendations.

We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ overall patch management process and the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities.

 

We made one recommendation to the Office of Intelligence and Analysis and two recommendations to the Cybersecurity and Infrastructure Security Agency to address the deficiencies identified. DHS concurred with all three recommendations.

We determined that although a complainant alleged there were systemic security challenges in the Office of Intelligence and Analysis (OIA), there were few documented security incidents over the past 5 years, all of which OIA addressed with corrective actions.  Further, OIA has improved the effectiveness of its Field Intelligence Division and the Field Intelligence Officers by hiring qualified, experienced intelligence professionals and implementing clear policies and procedures, but it could enhance officer training.  OIA is also addressing weaknesses in coordination among its watches and perceived delays in intelligence reporting.  We made two recommendations to improve the effectiveness of OIA operations; the Transportation Security Administration (TSA) concurred with both recommendations.

We determined that DHS had only approved implementation plans for 4 of 23 strategic objectives of the Enterprise Data Strategy, and planned to finalize the remaining plans in late FY 2017.  While we found that DHS had taken some effective actions to coordinate component investments in data sharing and management, component officials identified other ways that DHS could improve by coordinating Enterprise-wide tools and data integration efforts.  We recommended that DHS take actions to finalize implementation plans for the remaining 19 strategic objectives by the end of FY 2017, and work with components to identify and provide the training for Enterprise-wide data analysis and management tools.  We made two recommendations and Intelligence and Analysis and the Office of the Chief Information Officer concurred with both of our recommendations.