Information Security:

Department of Homeland Security Needs to Fully Implement Its Security Program

GAO-05-700: Published: Jun 17, 2005. Publicly Released: Jul 8, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.

DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments--needed to determine what controls are necessary and what level of resources should be expended on them--were incomplete. Elements required for information system security plans--which would provide a full understanding of existing and planned information security requirements--were missing. Testing and evaluation of security controls--which are needed to determine the effectiveness of information security policies and procedures--were incomplete or not performed. Elements required for remedial action plans--which would identify the resources needed to correct or mitigate known information security weaknesses--were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events. In addition, DHS had not yet fully developed a complete and accurate systems inventory. Shortfalls in executing responsibilities for ensuring compliance with the information security program allowed these weaknesses to occur. Although DHS has an organization that is responsible for overseeing the component implementation of key information security practices and controls, its primary means for doing so--an enterprisewide tool--has not been reliable. Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS) has since developed and tested continuity of operations plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete continuity of operations plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by developing, documenting, and testing continuity of operations plans.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

  2. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS) has since developed and implemented complete remedial action plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete remedial action plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by reporting complete remedial action plans.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

  3. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS) has since developed and implemented testing and evaluation of security controls. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete testing and evaluation of security controls with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by fully performing testing and evaluation of security controls.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

  4. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS)has since developed and implemented comprehensive security plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete security plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by documenting comprehensive security plans.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

  5. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS) has since developed and implemented complete risk assessments. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete risk assessments with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to instruct the Chief Information Security Officer (CISO) and component agencies to fully implement the following key information security practices and controls by developing complete risk assessments.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

  6. Status: Closed - Implemented

    Comments: Department of Homeland Security (DHS) has since followed documented processes and procedures for verification of the components' reported performance data in Trusted Agent FISMA (TAF). The DHS Inspector General verified and reported that milestones were completed in 2007 and the POA&M has been closed.

    Recommendation: To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to establish milestones for completing verification of the components' reported performance data in Trusted Agent Federal Information Security Management Act.

    Agency Affected: Department of Homeland Security: Directorate of Management: Chief Information Officer

 

Explore the full database of GAO's Open Recommendations »

Dec 17, 2014

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Looking for more? Browse all our products here