Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System
Highlights
What GAO Found
The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:
Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its “signatures” do not address threats that exploit many common security vulnerabilities and thus may be less effective.
Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.
Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.
Information sharing: DHS has yet to develop most of the planned functionality for NCPS's information-sharing capability, and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit—and agencies did not always provide—feedback on them.
In addition, while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system's intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS.
Regarding future stages of the system, DHS has identified needs for selected capabilities. However, it had not defined requirements for two capabilities: to detect (1) malware on customer agency internal networks or (2) threats entering and exiting cloud service providers. DHS also has not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.
Federal agencies have adopted NCPS to varying degrees. The 23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors. However, only 5 of the 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges. Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system.
Why GAO Did This Study
Cyber-based attacks on federal systems continue to increase. GAO has designated information security as a government-wide high-risk area since 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. NCPS is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies' computer networks, prevent intrusions, and support data analytics and information sharing.
Senate and House reports accompanying the 2014 Consolidated Appropriations Act included provisions for GAO to review the implementation of NCPS. GAO determined the extent to which (1) the system meets stated objectives, (2) DHS has designed requirements for future stages of the system, and (3) federal agencies have adopted the system. To do this, GAO compared NCPS capabilities to leading practices, examined documentation, and interviewed officials at DHS and five selected agencies. This is a public version of a report that GAO issued in November 2015 with limited distribution. Certain information on technical issues has been omitted from this version.
Recommendations
GAO recommends that DHS take nine actions to enhance NCPS's capabilities for meeting its objectives, better define requirements for future capabilities, and develop network routing guidance. DHS concurred with GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines. |
DHS concurred with the recommendation. In 2018, we verified that DHS had determined that enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines would be feasible.
|
Department of Homeland Security | The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS. |
DHS concurred with the recommendation. In 2018, we verified that DHS had determined the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic that was not being scanned by NCPS.
|
Department of Homeland Security | The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories. |
In April 2016, DHS provided an updated work instruction which provides analysts with the instructions on how to use "tags" to establish a link between signatures for inclusion in the Signature Management System (SMS) (the tool it uses to manage and deploy intrusion detection signatures) and multiple other factors, including publicly available, open-source data repositories, such as Common Vulnerability and Exposure or CVE.
|
Department of Homeland Security | The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures. |
DHS concurred with the recommendation. In 2019, we verified that DHS determined that data from the Continuous Diagnostics and Mitigation program did not provide sufficient detail for input into the development of intrusion detection signatures at this time. Instead, DHS followed a process to analyze vulnerability information from other sources, including malicious code and network traffic, to determine the viability of the information as an input into the development of signatures.
|
Department of Homeland Security | The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification. |
DHS concurred with the recommendation. In 2019 we verified that DHS updated its incident notification process. As part of these efforts, the department began using a standard format for notifications that includes information pertaining to the incident, contact information the agencies can use to inquire if they have questions or to request additional information about the incident, and instructions on how to provide feedback.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information. |
DHS concurred with the recommendation. In 2019, we verified that DHS had begun reporting on updated Government Performance and Results Act measures and DHS Annual Performance Goals for fiscal year 2019. These updated metrics include both qualitative and quantitative assessments of the department's National Cybersecurity Protection System's ability to fulfill its objectives. For example, DHS has begun measuring the amount of time it takes to aggregate and correlate detected cyber events.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities. |
DHS concurred with the recommendation. In 2018, we verified that DHS developed task orders with clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.
|
Department of Homeland Security | The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities. |
DHS concurred with the recommendation. In 2018, we verified that DHS developed assessment processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.
|
Department of Homeland Security | The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors. |
DHS concurred with the recommendation. Throughout 2018 and 2019, DHS officials worked with the Office of Management and Budget (OMB), the General Services Administration, and the Office of American Innovations on an update to the Trusted Internet Connections (TIC) policy and Reference Architecture. In September 2019, OMB issued an update to the TIC initiative that addresses, among other things, agency challenges with traffic routing.
|