The Department of Homeland Security said it expects a new inspector general audit to show it has made progress in securing its technology systems, officials told a House subcommittee Thursday.
“There is definite improvement this year,” deputy assistant inspector general John McCoy told the House Oversight and Government Reform Subcommittee on Government Organization, Efficiency and Financial Management.
McCoy did not go into detail because his office still is preparing the audit. He said his office would publish a report in November.
DHS officials said the upcoming audit will show proof that its agencywide IT security strategy is working. DHS chief information security officer Robert West said enterprisewide efforts have made the agency’s IT systems more secure than ever before.
“We’ve consolidated six legacywide area networks into a single, secure, modern, fully encrypted backbone infrastructure and we’ve made significant progress in consolidating multiple data centers into two modern enterprise data centers,” he said. “These new data centers have been designed also with robust security controls that support all systems that operate in these environments. We’ve also consolidated Internet access behind redundant Trusted Internet Connections.” Last year’s audit revealed 161 problems with the agency’s IT controls. Many of those issues were old ones that departments had failed to fix.
FEMA stood out because it accounted for more than a third of the problems noted in the report. Among the biggest challenges is FEMA’s financial management system.
“FEMA’s system is old. It’s outdated. It’s proprietary. I believe it’s not even supported at this point,” said deputy chief financial officer Peggy Sherry. But she told committee members her superiors were “willing to bang heads” to make sure all components of DHS stepped in line so that, eventually, all financial systems could be fully auditable.
She said FEMA had made improvements by rethinking the way it analyzed issues noted by auditors.
“FEMA really was able to better assess which of those [notices of findings and recommendations] they would be able to correct,” she said. “The reason why they were able to do that was because they were able to address their root causes. They were also able to work with their business practices within FEMA to really identify what those root causes are. So I think what you’ll see this year is improvement in that particular area.”
DHS inherited 1,100 IT systems when it was formed in 2003. It has slimmed down, but many of the remaining systems are outdated. Last year’s audit cited five major problems:
Inadequate security controls
Uneven emergency contingency plans
Security management and segregation of duties.
For example, managers in some divisions have to check every few months to make sure former employees no longer have access to the IT systems they were using. West said the biggest remaining problem was keeping track of contractors, who come and go frequently. He said the manual check was a “band-aid” until DHS can implement secure access cards under Homeland Security Presidential Directive-12.
DHS also is responsible operational cybersecurity for civilian agencies.
Subcommittee chairman Todd Platts (R-Pa.) said there was a sad irony to the fact that the agency created because of the Sept. 11 terrorist attacks cannot guarantee that all of its data would be secure in a similar emergency. “We have this department not setting an example for better preparing for that type of emergency in how you manage your data,” he said.
“You’re right. What can I say?” West said. But he added that all DHS components have updated and tested their contingency plans.
Platts told the DHS officials that if the various divisions did not take the steps necessary to prepare their systems for a complete financial audit, he would “bang heads” himself, if it speeded up the process. “We’re glad to bring in any component entity before us to talk about what they’re doing if they’re not in line with what you’re trying to do as a department,” he said.