Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

FISMA

  • Evaluation of DHS' Information Security Program for Fiscal Year 2020

    Executive Summary

    In May 2020, the Deputy Under Secretary for Management formally documented the Department’s risk acceptance to allow the Coast Guard to meet FISMA requirements according to Department of Defense, rather than DHS’ reporting requirements.  The Deputy Under Secretary for Management’s decision adversely affected our ability to evaluate the Department’s enterprise-wide information program under this year’s OIG reporting metrics.  Nonetheless, when evaluating the overall effectiveness of DHS’ information security program for FY 2020 FISMA, our rating does not include the Coast Guard.  DHS’ information security program earned a maturity rating of “Managed and Measurable” (Level 4) in three of five functions.  DHS can further improve the effectiveness of its information security program by ensuring components execute all its policies and procedures.  We made four recommendations in our report, with one to the DHS Chief Information Officer, one to the S&T Chief Information Officer, one to the Secret Service Chief Information Officer, and one to the FEMA Chief Information Officer.  The Department concurred with all four recommendations.

    Report Number
    OIG-21-72
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2021
  • Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2020 - Secret

    Executive Summary

    Since our FY 2020 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices.  We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems.  However, we identified deficiencies in DHS’ protect and recover functions.  We made three recommendations to I&A to address the deficiencies identified, and I&A concurred with all three recommendations.

    Report Number
    OIG-21-55
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2021
  • Evaluation of DHS' Information Security Program for Fiscal Year 2018

    Executive Summary

    DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

    Report Number
    OIG-19-60
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2019
  • (U) Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2018

    Executive Summary

    We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ overall patch management process and the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities.

     

    We made one recommendation to the Office of Intelligence and Analysis and two recommendations to the Cybersecurity and Infrastructure Security Agency to address the deficiencies identified. DHS concurred with all three recommendations.

    Report Number
    OIG-19-34-UNSUM
    Issue Date
    DHS Agency
    Oversight Area
    Fiscal Year
    2019
  • Fiscal Year 2017 Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems

    Executive Summary

    Pursuant to the Federal Information Security Modernization Act of 2014, we reviewed the Department’s security program, including its policies, procedures, and system security controls for the enterprise-wide intelligence system. Since our FY 2016 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. In addition, the United States Coast Guard is in the process of migrating its intelligence users to a system that is jointly managed by the Defense Intelligence Agency and the National Geospatial Agency.

    Report Number
    OIG-18-59
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2018
  • Evaluation of DHS' Information Security Program for Fiscal Year 2016

    Executive Summary

    Despite the progress made, Components were not consistently following DHS’ policies and procedures to maintain current or complete information on remediating security weaknesses timely. Components operated 79 unclassified systems with expired authorities to operate.  Further, Components had not consolidated all internet traffic behind the Department’s trusted internet connections and continued to use unsupported operating systems that may expose DHS data to unnecessary risks.  Our review identified deficiencies related to configuration management and continuous monitoring. We made four recommendations to the Chief Information Security Officer.  The Department concurred with all four recommendations.

    Report Number
    OIG-17-24
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Keywords
    Fiscal Year
    2017