DHS security officials face long hot summer of audits
- By Wilson P. Dizard III
- Apr 22, 2005
Homeland Security Department IT officials face a blistering summer of investigative reports on the department's systems security, the flaws in which likely will earn the department a failing grade in the Federal Information Security Management Act grading process for fiscal 2005.
The Government Accountability Office and the department's inspector general will issue a series of reports detailing security flaws in areas including database, network applications, the Homeland Security Digital Network and within the Citizenship and Immigration Services and Emergency Preparedness and Response directorates, officials from both organizations said.
These in-depth examinations come at a time of increased congressional interest as well.
At a hearing earlier this month before the House Homeland Security Committee's Subcommittee on Management, Integration and Oversight, chairman Mike Rogers said, 'The department needs to do much more to improve its [FISMA] grade from an F.'
The Alabama Republican acknowledged that DHS is working to certify and accredit all its systems by the end of fiscal 2006.
But Rogers said, 'DHS should be a good guy in the area of information security. The department needs to do a better job of protecting its own information systems while at the same time it protects the information technology infrastructure of the United States from cyberterrorism.'
Steven I. Cooper, the department's outgoing CIO, told the panel that the department would raise its FISMA grade to a B from an F in 2006.
He said DHS has launched an application, TrustedAgent FISMA from Trusted Integration Inc. of Alexandra, Va., that lets systems' managers evaluate their progress against the Office of Management and Budget's Federal Information Security Management Act guidance and goals.
'We have taken a risk-based approach' to certifying and accrediting systems, Cooper said.
For example, DHS officials have moved quickly to secure systems that relay threat information to outside agencies. He cited the Homeland Security Information Network as one such secured system.
In the meantime, GAO and the DHS IG will delve into specific problematic areas.
Greg Wilshusen, GAO's director of information security issues, said his agency plans to release an additional report on DHS' systems security 'in the June time frame.'
'We have an ongoing review of DHS information security programs,' Wilshusen said. 'It was requested by Sen. Joseph Lieberman [D-Conn.] who is the ranking minority member of the Homeland Security and Governmental Affairs Committee.'
Wilshusen said that DHS 'is probably going in the right direction but they have a ways to go. Getting a complete inventory of their systems is a necessary first step.'
The DHS IG also is poised to release additional reports on the security of other systems this summer, according to a senior official in the IG's office, who requested anonymity.
'I think they understand what they need to do. It is a matter of getting top management support,' the official said. 'The new secretary [Michael Chertoff] has made IT security a top priority.'