DHS information security still deficient, IG says

Despite improvements, the Homeland Security Department still has weak information security programs overall, according to a new report from DHS inspector general Richard L. Skinner.

The IG's audit found that many of the department's IT systems remain uncertified and unaccredited, while plans to correct weaknesses are undeveloped. The report also said contingency plans have not been developed and tested for all systems, and added that tools used to measure progress are neither complete nor current.

'We recommend that DHS continue to consider its information security program a significant deficiency for [fiscal] 2005,' the IG concluded.

DHS officials agreed with the recommendations and, according to the report, have developed remediation plans for fiscal 2006.

Skinner evaluated DHS' compliance with the Federal Information Security Management Act of 2002, which focuses on program management, implementation and evaluation of the security of unclassified and national security IT systems.

The department has made progress on several fronts, including developing so-called Plans of Action and Milestones, as well as a Trusted Agent FISMA tool to collect and track data related to FISMA compliance.

DHS also performed a comprehensive inventory of its IT systems, identifying 795 operational systems as of Aug. 25. That's more than double the 295 systems it reported the previous year, the report said. However, DHS does not yet have a process to update its inventory annually.

Other deficiencies in DHS' IT security cited in the report include:
  • Self-assessments have been performed on only 46 percent of contractor systems used on behalf of DHS.

  • The Transportation Security Administration and the Secret Service have no contingency plans for network security, and the Citizenship and Immigration Services agency, the Coast Guard and the Secret Service have no contingency plans for database security.

  • Fifteen out of 16 certification and accreditation packages reviewed at DHS were incomplete, with some key security documents either not prepared, in draft or failing to meet appropriate guidelines.

  • The Customs and Border Protection, CIS and Emergency Preparedness and Response agencies, and the Federal Law Enforcement Training Center did not submit weekly reports to the DHS Computer Security Incident Response Center as required, based on a 10-week evaluation period.

Alice Lipowicz is a staff writer for Government Computer News' sister publication, Washington Technology.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected