Cybersecurity:

DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring Program

GAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.

Additional Materials:

Contact:

Vijay A. D'Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

DHS gives agencies cybersecurity tools that identify the hardware and software on their networks and check for vulnerabilities and insecure configurations.

We reviewed how 3 agencies—the Federal Aviation Administration, Indian Health Service, and the Small Business Administration—used these tools. These agencies' hardware inventories were missing information and contained duplicates. For example, one agency's tools provided at least 2 identifiers for about 40% of the hardware on its network—leading to inventory duplicates.

Our recommendations include one for DHS to ensure that contractors configure tools to provide unique hardware identifiers.

lock, keyboard

Additional Materials:

Contact:

Vijay A. D'Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard.

Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard

Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard

However, while agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks. In addition, although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security.

The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors. DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance.

Why GAO Did This Study

In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities.

GAO was asked to review agencies' continuous monitoring practices. This report (1) examines the extent to which selected agencies have effectively implemented key CDM program requirements and (2) describes challenges agencies identified in implementing the requirements and steps DHS has taken to address these challenges.

GAO selected three agencies based on reported acquisition of CDM tools. GAO evaluated the agencies' implementation of CDM asset management capabilities, conducted semi-structured interviews with agency officials, and examined DHS actions.

What GAO Recommends

GAO is making six recommendations to DHS, including to ensure that contractors provide unique hardware identifiers; and nine recommendations to the three selected agencies, including to compare configurations to benchmarks. DHS and the selected agencies concurred with the recommendations.

For more information, contact Vijay A. D'Souza at (202) 512-6240 or dsouzav@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)

    Agency Affected: Department of Transportation: Federal Aviation Administration

  8. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)

    Agency Affected: Department of Transportation: Federal Aviation Administration

  9. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)

    Agency Affected: Department of Transportation: Federal Aviation Administration

  10. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)

    Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service

  11. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)

    Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service

  12. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)

    Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service

  13. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)

    Agency Affected: Small Business Administration

  14. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)

    Agency Affected: Small Business Administration

  15. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)

    Agency Affected: Small Business Administration

 

Explore the full database of GAO's Open Recommendations »

Oct 9, 2020

Sep 22, 2020

Sep 21, 2020

Sep 17, 2020

Sep 16, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Feb 11, 2020

Looking for more? Browse all our products here