Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring Program
GAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-6240
dsouzav@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
DHS gives agencies cybersecurity tools that identify the hardware and software on their networks and check for vulnerabilities and insecure configurations.
We reviewed how 3 agencies—the Federal Aviation Administration, Indian Health Service, and the Small Business Administration—used these tools. These agencies' hardware inventories were missing information and contained duplicates. For example, one agency's tools provided at least 2 identifiers for about 40% of the hardware on its network—leading to inventory duplicates.
Our recommendations include one for DHS to ensure that contractors configure tools to provide unique hardware identifiers.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-6240
dsouzav@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard.
Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard
However, while agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks. In addition, although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security.
The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors. DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance.
Why GAO Did This Study
In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities.
GAO was asked to review agencies' continuous monitoring practices. This report (1) examines the extent to which selected agencies have effectively implemented key CDM program requirements and (2) describes challenges agencies identified in implementing the requirements and steps DHS has taken to address these challenges.
GAO selected three agencies based on reported acquisition of CDM tools. GAO evaluated the agencies' implementation of CDM asset management capabilities, conducted semi-structured interviews with agency officials, and examined DHS actions.
What GAO Recommends
GAO is making six recommendations to DHS, including to ensure that contractors provide unique hardware identifiers; and nine recommendations to the three selected agencies, including to compare configurations to benchmarks. DHS and the selected agencies concurred with the recommendations.
For more information, contact Vijay A. D'Souza at (202) 512-6240 or dsouzav@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that integrators' solutions provide unique identifiers for hardware on selected agencies' networks. (Recommendation 1)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 2)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator records FISMA system information in the agency's CDM tools. (Recommendation 3)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that FAA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 4)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that IHS's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 5)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that SBA's system integrator establishes a process to integrate all vulnerability information in the agency's CDM tools, including the time a vulnerability was remediated. (Recommendation 6)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 7)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 8)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The FAA Administrator should configure its CDM tools to compare configuration settings against federal core benchmarks and agency-specific variations applicable to its environment. (Recommendation 9)
Agency Affected: Department of Transportation: Federal Aviation Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools. (Recommendation 10)
Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of IHS should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 11)
Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of IHS should configure its CDM tools to compare configuration settings against federal core benchmarks applicable to its environment. (Recommendation 12)
Agency Affected: Department of Health and Human Services: Public Health Service: Indian Health Service
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The SBA Administrator should commit to a time frame to complete the agency's effort to associate hardware with its FISMA systems. (Recommendation 13)
Agency Affected: Small Business Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The SBA Administrator should document agency-specific variations from federal core configuration benchmarks for each operating system on its network. (Recommendation 14)
Agency Affected: Small Business Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The SBA Administrator should configure its CDM tools to compare configuration settings against agency-specific benchmarks applicable to its environment. (Recommendation 15)
Agency Affected: Small Business Administration
Explore the full database of GAO's Open Recommendations »
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Feb 11, 2020
-
Office of Congressional Workplace Rights:
Weaknesses in Cybersecurity Management and Oversight Need to Be AddressedGAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.
Looking for more? Browse all our products here