DHS cybersecurity audit scores below target security levels

The Office of Inspector General evaluated the information security practices of the Department of Homeland Security and found the agency to be underperforming expected targets in three out of five areas.

The DHS cybersecurity audit was performed under guidelines from the Federal Information Security Modernization Act of 2014 (FISMA) in order to determine if "DHS' information security program and practices were adequate and effective in protecting the information and information systems that supported DHS' operations and assets in fiscal year 2017."

Unfortunately, while DHS FISMA scores were expected to be at Level Four -- which the NIST Cybersecurity Framework describes as a security program that is "Managed and Measurable" but not yet "Optimized" (Level Five) -- the DHS cybersecurity audit found that the agency only met those targets for two of five so-called cybersecurity functions.

Of the five functions -- Identify, Protect, Detect, Respond and Recover -- DHS FISMA scored at Level Four in risk management (Identify) and incident response (Respond), but at Level Three in Protect -- which includes configuration, identity and access management and training -- Detect and Recover. 

The OIG report on the DHS cybersecurity audit said DHS "did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems; did not monitor software licenses for unclassified systems and relied on data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents; and did not test all system contingency plans, develop procedures for handling sensitive information, or identify alternate facilities to recover processing in the event of service disruptions."

Even in the areas where the DHS cybersecurity audit found FISMA scores were at the target level, OIG found flaws such as 64 systems not having valid authority to operate (ATO). The report showed the number of systems without ATO has dropped over the past three years, but the data only included unclassified systems.

The OIG report noted that DHS met FISMA compliance for 98% to 99% of systems in DHS headquarters, FEMA and the Coast Guard, but again found flaws as DHS headquarters, FEMA and the Secret Service continued to use one Windows 2003 server each despite Microsoft ceasing security updates for those systems in June 2015.

Security patching also rated as subpar for DHS with some systems "missing security patches dating back to 2013" and "Several Windows 8.1 and Windows 7 workstations were missing key security patches, including those to protect against WannaCry ransomware." The WannaCry attacks occurred in mid-May 2017, although the patches for the underlying NSA-created EternalBlue exploit was released as part of Microsoft's March 2017 Patch Tuesday.

The OIG concluded that because of the FISMA results in the DHS cybersecurity audit, "additional oversight is needed for the Department to improve in ensuring that components comply with Federal and DHS information security policy."

"Specifically, since the Department's inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the [plans of actions and milestones] process to mitigate identified security weaknesses, and failed to apply security patches timely," the OIG wrote. "Such repeated deficiencies are contrary to the President's Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process."