Skinner: Screening system needs stronger controls

Find opportunities — and win them.

DHS has deployed robust IT security controls to protect personal data for air travelers within its Automated Targeting System, but a few key vulnerabilities remain, according to a new report.

The Homeland Security Department has deployed robust information technology security controls to protect personal information for air travelers within its Automated Targeting System, but a few key vulnerabilities remain, according to a new report from the department's inspector general.

The automated targeting system is a risk assessment tool that evaluates air passengers' personally identifiable information from numerous databases and assigns a risk score to each traveler. The system has been criticized by privacy advocates since it first drew widespread attention when described in a Privacy Act notice a year ago, but it has been operating for more than a decade in various forms.

To protect privacy, DHS has established robust operational and system security controls on the targeting system, Inspector General Richard Skinner concluded. These include access controls that limit accessibility to the system data to specific users based on their responsibilities and roles in the program, with passwords and privacy awareness training to ensure those limits are enforced. The system also has network protections, including firewalls and encryption.

"Customs and Border Protection is effectively employing these controls in protecting individuals' personally identifiable information," the IG report states.

However, the agency needs to be vigilant in ensuring the controls are up-to-date and properly authorized. Specifically, there need to be periodic reviews of users' access privileges, checks to make sure that old accounts are disabled and independent internal reviews to make sure that passwords and software patches are being used correctly, Skinner wrote.

Ongoing attention is needed to protect against potential threats to the system from DHS' own employees and ex-employees, the IG said. "The greatest risk to the security and privacy of the personally identifiable information housed in the Automated Targeting System stems from insider threats."

Strengthening IT security controls at DHS and other federal agencies has been an active area of contracting opportunity for several years.