Sen. Tom Coburn (R-Okla.), ranking member fo the Senate Homeland Security and Governmental Affairs Committee, criticized the Homeland Security Department Monday for failing to correct deficiencies in its cybersecurity efforts.
He was responding to the findings of a recent report released by DHS’ Office of Inspector General that evaluated the agency’s information security plan for fiscal year 2013.
“This report shows major gaps in DHS’s own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” Coburn said, in a statement. “DHS doesn’t use strong authentication. It relies on antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”
Coburn added DHS and other agencies should at least exercise the same cybersecurity practices the private sector uses to protect the nation’s critical infrastructure from cyber attacks.
“The fact is the federal government’s classified and unclassified networks are dangerously insecure, putting at risk not only U.S. national security, but the nation’s critical infrastructure and vast amounts of our citizens’ personally identifiable information,” he said.
For its report, the OIG reviewed DHS’ information security program and practices to see if they met the requirements of the Federal Information Security Management Act (FISMA). The OIG determined that not all of DHS’ components were meeting the department’s polices and procedures.
It identified several areas where DHS’ information security program was lacking and made recommendations for improvement.
The department failed to implement all of the required U.S. Government Configuration Baseline (USGCB) settings for all of its systems. The OIG recommended DHS ensure those baselines were implemented on all workstations and servers.
The department is operating systems it no longer has the authority to operate (ATO).
“Without a renewed and valid ATO, DHS cannot be assured that effective controls have been implemented to protect the sensitive information stored and processed by these systems,” the report said.
The OIG recommended DHS verify all operational information systems have up-to-date authorizations to operate.
Plans and milestones were also not being implemented to address all of the known security weaknesses in a timely fashion.
The OIG recommended that DHS’ Information Security Office improve its Plans of Action and Milestones (POA&M) review process and to make sure all such POA&Ms are being addressed in a timely manner and comply with DHS guidance.
“Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning,” the report said. “Finally, the Department still needs to consolidate all of its external connections, and complete the implementation of personal identity verification compliant logical access on its information systems and networks.”
The report was not all bad news for DHS. The OIG found the department had created a draft ongoing authorization methodology to improve the security of its information systems using a risk management approach.
“This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security- related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories,” the report said.
DHS concurred with the findings of the OIG report and agreed to comply with its recommendations.