OIG Report: DHS Must Do More to Meet Its Cybersecurity Responsibilities

Department of Homeland Security

The The Office of Inspector General (OIG) of the Department of Homeland Security (DHS) has released a report titled, DHS Can Take Actions to Address Its Additional Cybersecurity Responsibilities. The report “contains six recommendations aimed at addressing the National Protection and Programs Directorate’s [NPPD] cybersecurity responsibilities to improve the security posture of the Federal Government.”

“To help secure agency information systems against cyber threats, the Federal Information Security Management Act of 2002 (FISMA) was enacted to set forth a comprehensive framework for ensuring effective information security. To ensure the implementation of this framework, FISMA assigned specific responsibilities to the Office of Management and Budget (OMB) to develop and oversee the implementation of policies and standards on information security.”

“On July 6, 2010, OMB designated DHS with the primary responsibility of overseeing a Federal-wide information security program designed to better protect Federal agencies’ information systems and networks. NPPD, which serves as the lead for protecting and enhancing the resilience of the Nation’s physical and cyber infrastructure, assumed this responsibility for the Department.”

“NPPD’s Office of Cybersecurity and Communications (CS&C) is responsible for developing and collecting FISMA metrics, in conjunction with OMB, that are submitted either annually or quarterly by the Office of Chief Information Officer (OCIO) and Office of Inspector General (OIG) at each agency. In addition, Federal agencies are required to provide monthly information security and vulnerability data feeds through a web-based application, CyberScope, allowing for improved risk-management decisions and increased situational awareness.”

The recommendations made by the OIG include:

  • Coordinate with OMB to develop a strategic implementation plan, which identifies long-term goals and milestones, for Federal agency FISMA compliance
  • Update and finalize internal operating procedures and guidance documents to ensure that cyber responsibilities and procedures are clearly defined
  • Improve communication and coordination with Federal agencies by providing additional clarity regarding the FISMA reporting metrics
  • Implement a process to analyze and provide detailed feedback to Federal agencies concerning monthly vulnerability data feeds
  • Establish a process to ensure that all CyberScope contractor system administrators have received adequate security training in compliance with applicable DHS, OMB, and NIST [National Institute of Standards and Technology] guidance
  • Implement all required DHS baseline configuration settings on the CyberScope database

Article formerly posted at https://www.hsdl.org/blog/newpost/view/s_4809