Review of the Department of Homeland Security's Implementation of the Cybersecurity Act of 2015 [open pdf - 778KB]
"The Department has taken a number of steps to implement provisions in Title IV, Section 406 of the 'Cybersecurity Act'. As required by the Act, we examined DHS activities in four key cybersecurity areas. We determined the Department has:  developed enterprise-wide logical access policies and procedures for its NSS [National Security Systems] and other systems that provide access to PII [Personally Identifiable Information], in accordance with appropriate Federal standards;  applied its process for authorizing systems to operate to ensure logical access controls are implemented and assessed, and ensured multi-factor authentication for privileged users of unclassified systems, and some NSS ;  established software inventory policies, although not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility, and digital rights management; and  not developed policies and procedures to ensure that contractors implement data protection solutions. DHS and its Components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use, and disclosure. We are submitting this report for informational purposes to the appropriate Congressional oversight committees, as required by the Act. Due to a lack of specific criteria, this report contains no recommendations."
Department of Homeland Security, Office of Inspector General, Report No. OIG-16-142
Office of Inspector General: https://www.oig.dhs.gov