IG: DHS Needs Cybersecurity Strategic Plan

Audit Reveals Failure to Track Contractors' Security Training

The Department of Homeland Security lacks a strategic plan for implementing long-term goals to help agencies comply with the Federal Information Security Management Act, according to the department's inspector general.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

A 26-page IG audit report points out that the Office of Cybersecurity and Communications' Federal Network Resilience unit has not developed long-term cybersecurity goals and identified medium-term milestones for federal agencies to accomplish.

"Without the long-term goals, CS&C will have difficulty determining whether the CPM (cybersecurity performance management) program is effective in achieving the desired results to strengthen the security posture of the federal government," Frank Deffer, assistant inspector general for information technology audits, writes in the audit report.

Deffer says it's understandable the Cybersecurity and Communications Office hasn't yet devised a long-term strategy, citing key managers who have left CS&C within the past year, including the assistant secretary of CS&C in January, director of Federal Network Resilience in July and a branch chief in March.

In addition, a presidential executive order resulted in CS&C reorganizing last October into five new divisions. "As a result," Deffer says, "CS&C has to change its draft strategic implementation plan to reflect the revised organizational structure and incorporate new management priorities."

Failure to Track Contractor Training

Another finding in the audit made public June 14: DHS does not have an effective system to ensure that contractors hired as system administrators for its CyberScope automated information security reporting system receive proper security training [see Is CyberScope Ready for Prime Time?]. The audit says the Office of the Office of Cybersecurity and Communications does not maintain records or provide documents to support that contractors have received DHS's security awareness or specialized information technology training.

"CS&C cannot guarantee the security of the data collected through CyberScope without ensuring that all people involved understand their roles and responsibilities and are adequately trained to perform them," Deffer says.

Rep. Bennie Thompson, the Mississippi Democrat who serves as the ranking member of the House Committee on Homeland Security, says the audit shows DHS hasn't taken "common-sense steps in efficiency and efficacy" to secure federal information systems.

"Since we know that DHS has a longstanding over-reliance on contractors, it is puzzling that DHS has not taken the solid steps to ensure its contractor workforce gets proper security training," Thompson says. "With the recent national security leak revelations involving a contractor at NSA [National Security Agency], we no longer have to speculate about whether contractors are capable of leaking sensitive information." [See NSA Won't Jettison Contractors, Yet]

The audit makes no claim that DHS contractors having leaked sensitive or classified information.

The IG also called on DHS to increase communications and coordination with agencies so they can improve their FISMA reporting processes.

Extolling Performance

Not everything in the audit was critical. For instance, the IG lauds the Office of Cybersecurity and Communications for developing and refining the annual FISMA reporting metrics in conjunction with the Office of Management and Budget. In 2010, OMB gave DHS primary responsibility for overseeing the federal information security program and evaluating its compliance with FISMA.

"CS&C has taken positive steps to refine the annual reporting metrics by including agencies' input and feedback into the process," Deffer says.

The IG also credits DHS for conducting so-called CyberStat reviews that assist federal agencies in identifying their cybersecurity limitations and developing action plans as well as implementing effective security controls to protect the data stored and processed by CyberScope.