DHS watchdog flags lagging mobile device security, management

The Department of Homeland Security has fallen short of compliance requirements and existing standards when it comes to managing, securing and deploying mobile devices within its CIO and intelligence office, according to the agency’s latest inspector general report.

The watchdog’s audit found that mobile apps with vulnerabilities were installed, appropriate security settings were skipped over, high-risk app restrictions were ignored and device infrastructure was insufficient. 

The lagging security standards were widespread, according to the DHS OIG. More than three-quarters of the 650 mobile apps installed on the intelligence office’s mobile devices posed security risks, were explicitly prohibited or allowed prohibited activities. Some of these apps were associated with foreign adversaries, pertained to outside employment or were outright banned by the National Defense Authorization Act. 

DHS’s inspector general office conducted the audit from December 2023 through March 2025. As part of that work, the team interviewed officials and staff, assessed internal controls, compared inventory lists and gathered usage reports, among other steps to determine management and security of the devices. 

OCIO denied the OIG’s request for “read-only direct system access to ServiceNow,” which prevented a comprehensive risk assessment of mobile device ticketing data, according to the internal, independent watchdog. 

“DHS believes the OIG’s allegation that the Office of the Chief Information Officer denied the OIG’s request for read-only direct system access is misleading and lacks important context,” Jeffrey Bobich, director of financial management at DHS’s OCFO, said in response to the draft report. 

Bobich said the request was accommodated via “tailored data extracts” due to the risk of unauthorized exposure of sensitive data. 

The clash adds to existing tension between the two entities. DHS Inspector General Joseph Cuffari alerted lawmakers in March to concerns over the agency “systematically” obstructing oversight efforts and “blocking” access to necessary information, sparking an investigation by a senator into the alleged obstruction efforts.

The White House has also laid out its plans to trim the oversight unit, acknowledging that reduced funds and workforce cuts will limit the IG’s capability to perform audits and other duties. 

Even amid the apparent feud, DHS did concur with the 11 recommendations laid out by the IG in the report. 

The recommendations included tasking OCIO with implementing all necessary mobile deceive security countermeasures, developing policies for custom apps and improving compliance tracking. The intelligence office also has homework from the OIG, such as improving identification of vulnerabilities and weaknesses, updating policies around mobile device authorization for international travel and coordinating better with the OCIO. 

Some of the recommendations are already considered resolved based on the information DHS provided in the response to the draft report, but the recommendations are still marked open until a formal closeout letter is submitted and reviewed.