Summary
The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.
DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments--needed to determine what controls are necessary and what level of resources should be expended on them--were incomplete. Elements required for information system security plans--which would provide a full understanding of existing and planned information security requirements--were missing. Testing and evaluation of security controls--which are needed to determine the effectiveness of information security policies and procedures--were incomplete or not performed. Elements required for remedial action plans--which would identify the resources needed to correct or mitigate known information security weaknesses--were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events. In addition, DHS had not yet fully developed a complete and accurate systems inventory. Shortfalls in executing responsibilities for ensuring compliance with the information security program allowed these weaknesses to occur. Although DHS has an organization that is responsible for overseeing the component implementation of key information security practices and controls, its primary means for doing so--an enterprisewide tool--has not been reliable. Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to instruct the Chief Information Security Officer (CISO) and component agencies to fully implement the following key information security practices and controls by developing complete risk assessments.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since developed and implemented a plan to ensure that component agencies develop complete risk assessments. The plan identified the risk assessment as 1 of 12 Certification and Accreditation documents for the DHS Information Technology systems.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by documenting comprehensive security plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since developed and implemented a plan to ensure that component agencies document comprehensive security plans. The plan identified the security plan as 1 of 12 Certification and Accreditation documents for the Information Technology systems.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by fully performing testing and evaluation of security controls.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since developed and implemented a plan to ensure that component agencies fully perform testing and evaluation of security controls. The plan identified the Security Test and Evaluation Plan (ST&E) and the Security Assessment Report (SAR) as 2 of 12 Certification and Accreditation documents for the Information Technology systems.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by reporting complete remedial action plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since developed and implemented a plan to ensure that component agencies report complete remedial action plans. The plan identified the Plan of Action and Milestones (POA&M) as 1 of 12 Certification and Accreditation documents for the DHS Information Technology systems. POA&Ms are reviewed quarterly.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by developing, documenting, and testing continuity of operations plans.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since developed and implemented a plan to ensure that component agencies develop, document and test continuity of operations plans. The plan identified the Contingency Plan and Contingency Plan Test Results as 2 of 12 Certification and Accreditation documents for the DHS Information Technology systems.
Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to establish milestones for completing verification of the components' reported performance data in Trusted Agent Federal Information Security Management Act.
Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer
Status: In process
Comments: DHS has since followed documented processes and procedures for verification of the components' reported performance data in Trusted Agent FISMA (TAF). The processes and procedures were used to verify the following types of performance data and integrity checks in TAF include:(1) Procedures for ensuring that the DHS Component system inventory remains current, (2) Component Certification and Accreditation remediation document and artifact reviews, and (3)Component Plan of Action and Milestones (POA&M) process reviews. Milestones were completed in 2006 and the POA&M has been closed.
