Despite the progress made, Components were not consistently following DHS’ policies and procedures to maintain current or complete information on remediating security weaknesses timely. Components operated 79 unclassified systems with expired authorities to operate. Further, Components had not consolidated all internet traffic behind the Department’s trusted internet connections and continued to use unsupported operating systems that may expose DHS data to unnecessary risks. Our review identified deficiencies related to configuration management and continuous monitoring. We made four recommendations to the Chief Information Security Officer. The Department concurred with all four recommendations.