DHS gets low marks for security

The Homeland Security Department is showing major weaknesses in ensuring information security for its computer systems, according to a Government Accountability Office report released today.

"DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets," the GAO said.

Shortcomings include incomplete risk assessments, lack of security plans and incomplete or absent testing and evaluation of existing policies and procedures. The "enterprisewide tool" that DHS has been using to implement key information security practices and controls is "unreliable," the GAO found.

"Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited," the GAO said.

The GAO reviewed Homeland Security's program to comply with the Federal Information Security Management Act of 2002 [FISMA] and other federal requirements. It found that DHS' chief information security officer (CISO) has developed some policies and procedures that could be a framework for a departmentwide security program; however, some of the elements have not yet been implemented as required.

"Although the CISO has made significant progress in developing and documenting a departmentwide information security program, certain DHS components have not yet fully implemented key information security practices and controls as required by the program," the GAO said.

"We identified weaknesses in information security documentation for the three major applications and three general support systems that we selected for review that place DHS' operations and assets at risk." The applications include the U.S. Visit traveler program, as well as unspecified applications and general support systems at Immigration and Customs Enforcement, Transportation Security Administration and the Emergency Preparedness & Response Directorate.

DHS also fell short in continuity of operations plans to restore critical systems following an unexpected failure or disaster. "For all five of the continuity of operations plans reviewed, program officials either did not include all information necessary to restore operations in the event of a disaster or have a documented plan," the GAO said.

To correct the problems, the GAO advises that DHS perform the risk assessments, document security plans, test and evaluate security controls, report remedial action plans and test continuity of operation.

The DHS, in its comments, agreed with the findings and said the agency is working on the corrections that were advised and on strengthening the reliability of the enterprisewide tool.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.