Although the Department of Homeland Security has improved its program to monitor the federal government’s information security, the agency still must clarify its long-term planning, reporting metrics and personnel training procedures, according to a recent inspector general report.
Since 2010, DHS has worked to ensure the federal government’s information is secure: refining annual metrics, reviewing the government’s information security systems and developing an interagency hub to report cybersecurity stats.
A year ago, the Office of Cybersecurity and Communications — which has handled this task for DHS — was reorganized after an executive order. The DHS Office of Inspector General audited the office to determine the effectiveness of the new structure. The audit identified four problem areas — technical deficiencies, ill-defined long-term goals, metrics and security training programs — and six recommendations, all of which DHS accepted.
The Federal Information Security Management Act of 2002 essentially ordered all federal agencies to implement information security programs and report the results. DHS has worked with each agency to manage this annual reporting program, help agencies identify their system deficiencies and get them secure access to CyberScope — a web-based application used to report monthly information security data.
But while cybersecurity office has helped other agencies establish reporting metrics, it has failed to delineate its own program goals. Specifically, the report found Federal Network Resilience — one of the cybersecurity office’s five divisions — was lacking direction.
“FNR has not developed a strategic implementation plan that describes its cybersecurity responsibilities or establishes specific timeframes and milestones to provide a clear plan of action for fulfilling its cybersecurity responsibilities,” the report reads, adding it does have a number of policies in draft, but not final, form. “In addition, FNR has not established performance metrics to measure and monitor its progress in accomplishing its mission and goals. As a result, FNR cannot ensure that it is effectively overseeing federal agencies’ information security programs.”
Frequent management turnover has hindered the office’s ability to finalize these procedures and establish long-term goals, according to the report. It recommended the cybersecurity office coordinate with the Office of Management and Budget to establish these long-term goals and milestones.
While the cybersecurity office lags in its own monitoring, the report also indicated federal agencies took issue with the monitoring metrics they are required to submit regularly. Two agencies said the reporting process has too many metrics, straining their personnel resources. Another agency said CyberScope needed more instructions and details on reporting metrics.
In addition, agencies aren’t sure what happens to the data once it is submitted, as DHS “has not provided any detailed information, such as trending analysis, regarding their monthly vulnerability data submissions,” the report reads. The cybersecurity office should work to communicate better with federal agencies, the report concludes, and provide them with clear analysis of the data received.
The cybersecurity office also does not communicate enough with contractors about the specific training their employees should receive. It’s the second straight year the inspector general has noted this pattern.
The office “does not have a process to maintain training records for CyberScope contractors or ensure that all training requirements have been completed,” the report reads. “Additionally, [the cybersecurity office] does not require contractors to receive any specialized IT training in addition to what is mandated by the hosting facility.” Steps must be taken, the report concludes, to ensure all contractors are trained to meet DHS, OMB and National Institute of Standards and Technology guidelines.
CyberScope is also vulnerable to unauthorized access. The report identified guest accounts that exist, and default accounts that have not been disabled or renamed. Both practices go against DHS cybersecurity best practices. But the cybersecurity office submitted documents in March, showing it had already begun work to address this issue.