Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audits, Inspections, and Evaluations

Report Number Title Issue Date Fiscal Year
OIG-18-07 ICE, CBP, and USCIS continue to experience challenges with emerging immigration enforcement and administration activities. Although DHS has established unity of effort initiatives to break silos and centralize decision making related to immigration, problems remain. We identified challenges related to mission allocation and expenditure comparisons, the affirmative asylum application process, and the Department’s struggle to understand immigration outcomes and decisions. DHS will continue to allow vulnerabilities that may affect national security and public safety to persist.

 

>DHS Needs a More Unified Approach to Immigration Enforcement and Administration 		2018
OIG-22-06 DHS Needs Additional Oversight and Documentation to Ensure Progress in Joint Cybersecurity Efforts 2022
OIG-19-42 DHS expanded the Insider Threat Program from monitoring user activity on its classified networks to monitoring cleared and non-cleared employees’ activity on unclassified networks. We initiated a project to determine Insider Threat Program progress in monitoring, detecting, and responding to malicious insider threats on unclassified DHS systems and networks. Before continuing its planned expansion of the Insider Threat Program, DHS needs to address several deficiencies that may hinder program effectiveness and efficiency. Although the expanded program was approved in January 2017, the Office of the Chief Security Officer has yet to revise, obtain approval for, and reissue required documentation.

>DHS Needs to Address Oversight and Program Deficiencies before Expanding the Insider Threat Program 		2019
OIG-12-88  

>DHS Needs To Address Portable Device Security Risks  		2012
OIG-19-62 DHS Needs to Improve Cybersecurity Workforce Planning 2019
OIG-16-39 In fiscal year 2014, DHS spent a total of $12.5 billion using interagency agreements. Past Office of Inspector General audit reports found that a component used Intra/Interagency Reimbursable Work Agreements (RWA) to bypass key internal controls rather than properly implement Interagency Acquisitions. We conducted a department-wide audit to determine whether DHS’s use of RWAs is in compliance with statutory, regulatory, departmental, and component requirements. Components are not issuing RWAs in compliance with the Department’s policy. Specifically, 100 percent of the 43 RWAs we tested—totaling approximately $88 million—had not been reviewed by a Certified Acquisition Official (CAO). In January 2015, DHS issued a policy requiring components to have a CAO review RWAs to ensure they are being issued properly prior to obligating funds. The CAO plays a critical role in ensuring high-risk transactions receive proper oversight. However, 70 percent of the RWAs we tested did not include enough information for a CAO to make an informed decision. DHS did not ensure components updated their policies and procedures to reflect the new requirements. Without a CAO review, components may continue to improperly issue RWAs, circumventing acquisition controls.

>DHS Needs to Improve Implementation of OCFO Policy Over Reimbursable Work Agreements 		2016
OIG-19-48 DHS Needs to Improve Its Oversight of Misconduct and Discipline 2019
OIG-10-111  

>DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems 		2010
OIG-13-113 The Department of Homeland Security (DHS) operates and maintains 20 land mobile radio networks serving more than 120,000 frontline agents and officers. These users rely on radio systems for primary communications, officer safety, and mission success. DHS manages about 197,000 radio equipment items and 3,500 infrastructure sites, with a reported value of more than $1 billion. Many of these systems have exceeded their service-life and urgently need to be modernized to meet Federal and DHS mandates. DHS has estimated that full modernization of its existing end-of-life radio systems would require a $3.2 billion investment. The audit objective was to determine whether DHS is managing its radio program and related inventory in a cost-effective manner to prevent waste of taxpayer dollars.

>DHS Needs to Manage Its Radio Communication Program Better 		2013
OIG-05-03 DHS Needs to Strengthen Controls For Remote Access to Its Systems and Data 2005
OIG-13-110 We conducted an audit of the efforts undertaken by the Department’s Office of the Chief Information Officer to implement and maintain continuity of operations and disaster recovery and contingency planning capabilities. The objective of our audit was to determine the progress that the Office of the Chief Information Officer has made in carrying out its continuity planning roles and developing contingency planning strategies for routine backup of critical data, programs, documentation, and personnel for recovery after an interruption.

>DHS Needs To Strengthen Information Technology Continuity and Contingency Planning Capabilities (Redacted) 		2013
OIG-18-41 DHS Needs to Strengthen Its Suspension and Debarment Program 2018
OIG-11-71  

>DHS Oversight of Component Acquisition Programs 		2011
OIG-21-06 DHS Privacy Office Needs to Improve Oversight of Department-wide Activities, Programs, and Initiatives 2021
OIG-05-09 DHS Requires Additional Processes and Controls Over Its National Security Systems 2005
OIG-17-116-VR We determined that due to changes DHS made to the process, political appointees do not influence Freedom of Information Act (FOIA) processors to delay or withhold the release of FOIA information.  Unlike the former process, the new process does not provide opportunities for political appointees in headquarters to inappropriately interfere with releases of significant FOIA information, and we did not identify any instances in which headquarters officials used the process to engage in those activities.  However, because DHS has not issued final guidance for the process, it is vulnerable to misuse in the future.  We recommended that the Chief FOIA Officer/Chief Privacy Officer issue final guidance on the 1-Day Awareness Notification Process.  The guidance should state 1) the purpose of the process is to inform senior officials of the imminent release of information that may raise public interest and 2) FOIA staff determine whether information should be released or withheld under FOIA’s exceptions and exemptions.

 

>DHS Review of Responses to Significant Freedom of Information Act Requests (Verification Review of OIG-11-67) 		2017
OIG-15-80 DHS does not require components to track justifications for making travel reservations offline, that is, by contacting an agent by telephone. Therefore, it is difficult to identify whether offline travel fees are excessive. Making reservations by telephone costs $23 to $27 more per transaction than making a reservation online through the web-based system. The Department is also not effectively managing components’ use of the online system. As a result, the Department may be missing opportunities to reduce offline travel reservation fees and identify cost savings. Finally, although the Senate Appropriations Committee expected DHS to reduce its offline reservation costs in fiscal year 2014, data from DHS showed that, overall, offline costs increased.

>DHS Should Do More to Reduce Travel Reservation Costs 		2015
OIG-18-81 DHS support components do not have sufficient processes and procedures to address misconduct. Support Components provide resources, analysis, equipment, research, policy development, and other specific assistance to operational components. These deficiencies exist because no single office or entity

is responsible for managing and overseeing misconduct issues across support components. According to Government Accountability Office (GAO) guidance, it is important for agencies to establish organizational structure, assign responsibility, and delegate authority, so they can achieve their objectives. Support components need to improve their processes and procedures for addressing misconduct. Specifically, support components do not maintain comprehensive data about misconduct  allegations; refer misconduct allegations consistently to OIG; provide guidance for supervisors and investigators on handling misconduct; and manage misconduct allegations effectively.

>DHS Support Components Do Not Have Sufficient Processes and Procedures to Address Misconduct 		2018
OIG-13-115 We audited the Department of Homeland Security’s (DHS) efforts to implement Web 2.0 technology, also known as social media. The objective of our audit was to determine the effectiveness of DHS’ and its components’ use of Web 2.0 technologies to facilitate information sharing and enhance mission operations. The scope and methodology of this audit are discussed further in appendix A. Although DHS prohibits social media access to employees using a government-issued electronic device or computer unless a waiver or exception is granted, the Department has steadily increased its use of various social media sites over the past 5 years.

>DHS Uses Social Media To Enhance Information Sharing and Mission Operations, But Additional Oversight and Guidance Are Needed 		2013
OIG-18-05 DHS personnel do not always safeguard sensitive assets that, if lost, would result in critical mission impact or loss of life. Between fiscal years 2014 and 2016, the Department of Homeland Security personnel lost a total of 2,142 highly sensitive assets — 228 firearms; 1,889 badges; and 25 secure immigration stamps. Although this represents a slight improvement from our last audit, more than half of the lost items we reviewed (65 of 115) revealed that component personnel did not follow policy or used poor judgment when safeguarding these assets. In these cases, components did not always hold personnel accountable nor did they receive remedial training for failing to safeguard these sensitive assets.

>DHS' Controls Over Firearms and Other Sensitive Assets 		2018
OIG-14-02 We audited the National Protection and Programs Directorate’s (NPPD) efforts in coordinating with cyber operations centers across the Federal Government. The recent increase in cyber attacks has triggered an expansion of security initiatives and collaboration between the Government and the private sector. The National Cybersecurity and Communications Integration Center, which is the operational arm of the Office of Cybersecurity and Communications within NPPD, is responsible for integrating cyber threat information from the five Federal cybersecurity centers and collaborating with these centers in responding to cyber security incidents that may pose a threat to the Nation.

>DHS' Efforts to Coordinate the Activities of Federal Cyber Operations Centers 		2014
OIG-05-19 DHS' Efforts to Develop the Homeland Secure Data Network 2005
OIG-09-07 DHS' Efforts to Improve the Homeland Security Information Network 2009
OIG-22-09 DHS' Implementation of OIG Recommendations Related to Drug Interdiction 2022
OIG-18-34 The DATA Act required the OIG to review a statistically valid sample of DHS’ fiscal year 2017, 2nd quarter spending data posted on USASpending.gov and to submit to Congress a report assessing the data’s completeness, timeliness, quality, and accuracy; and DHS’ implementation and use of Government-wide financial data standards. The Digital Accountability and Transparency Act of 2014 (DATA Act) required DHS to submit, by May 2017, complete, accurate, and timely spending data to the Department of the Treasury (Treasury) for publication on USASpending.gov beginning with the 2nd quarter of FY 2017. DHS successfully certified and submitted its FY 2017/Q2 spending data for posting on USASpending.gov in April 2017. Although DHS met the DATA Act’s mandated submission deadline, we identified issues concerning the completeness and accuracy of its first data submission that hinders the quality and usefulness of the information.

 

>DHS' Implementation of the DATA Act 		2018
OIG-06-46 DHS' Management of Automated Procurement Systems Needs Improvement 2006
OIG-07-22 DHS' Management of BioWatch Program, 2007
OIG-18-73 Not all forms DHS and its components use to create NDAs include the required WPEA statement. Further, although many of the settlement agreement templates and settlement agreements in the sample we reviewed included provisions that might restrict or prevent disclosure of information, nearly three-fourths of these documents did not contain the WPEA statement. Omitting the statement in NDAs and personnel settlement agreements could lead to confusion about what information may be disclosed to permissible recipients, which could deter reporting of fraud, waste, or abuse and impede DHS Office of Inspector General (OIG) activities.

>DHS' Non-disclosure Forms and Settlement Agreements Do Not Always Include the Required Statement from the Whistleblower Protection Enhancement Act of 2012 		2018
OIG-16-19 DHS does not have adequate oversight of its workforce training. DHS lacks reliable training cost information and data needed to make effective and efficient management decisions. In addition, it does not have an effective governance structure for its training oversight, including clearly defined roles, responsibilities, and delegated authorities. Finally, DHS has not adequately addressed 29 different recommendations to improve training efficiencies made since 2004 by various working groups. As a result, DHS cannot ensure the most efficient use of resources.

>DHS' Oversight of Its Workforce Training Needs Improvement 		2016
OIG-13-96 According to the Department, it participated in 1,094 conferences in fiscal year 2012, with expenditures totaling approximately $21.6 million. We conducted this audit in response to a mandate from the House Appropriations Committee, which directed the Office of Inspector General to report, no later than 30 days after the date of enactment of the DHS Fiscal Year 2013 Appropriations Bill, whether DHS has effective procedures in place to ensure compliance with all applicable Federal laws and regulations on conferences. The Fiscal Year 2013 Appropriations Bill was enacted on March 26, 2013.

>DHS' Policies and Procedures Over Conferences 		2013
OIG-20-56 DHS generally met deadlines for responding to simple Freedom of Information Act (FOIA) requests, it did not do so for most complex requests.  A significant increase in requests received, coupled with resource constraints, limited DHS’ ability to meet production timelines under FOIA, creating a litigation risk for the Department.  Additionally, DHS has not always fully documented its search efforts, making it difficult for the Department to defend the reasonableness of the searches undertaken.  With respect to responding to congressional requests, we determined DHS has established a timeliness goal of 15 business days or less; however, on average, it took DHS nearly twice as long to provide substantive responses to Congress, with some requests going unanswered for up to 450 business days.  Further, DHS redacted personal information in its responses to congressional committee chairs even when disclosure of the information was statutorily permissible.  This was a descriptive report and contained no recommendations.  In its response, DHS acknowledged FOIA backlogs remain a problem, despite increasing requests processed.  DHS stated its process responding to congressional requests varies greatly and that its redactions are appropriate.

>DHS' Process for Responding to FOIA and Congressional Requests 		2020
OIG-16-105 Based on GSA’s eRETA system, between fiscal years 2003 and 2014, DHS and its components authorized more than 18,000 RWAs with GSA, totaling $4.1 billion. We conducted this audit to determine whether the Department’s use of RWAs was in compliance with statutory, regulatory, departmental, and component requirements.

>DHS' Use of Reimbursable Work Agreements with GSA 		2016
OIG-10-50  

>DHS' Use of Suspension and Debarment Actions for Poorly Performing Contractors 		2010
OIG-13-06 The Department of Homeland Security (DHS) includes an amalgamation of organizations that work together to prevent and respond to terrorist attacks, natural disasters, and other threats. Such collaboration requires that components establish effective communication among external and internal partners during operations. DHS established an internal goal of developing interoperable radio communications and identified common channels, and its components invested about $430 million in equipment, infrastructure, and maintenance to meet communication requirements. We performed this audit to determine whether DHS’ oversight ensured achievement of Department-wide interoperable radio communications.

>DHS’ Oversight of Interoperable Communications 		2013
OIG-16-138 In 2012, we reported on DHS’ challenges in implementing an effective information technology (IT) management program. FITARA was enacted in 2014 to institutionalize IT reform across the Federal Government. We conducted this audit to determine the extent to which DHS has implemented FITARA to improve department-wide IT management and oversight.

>DHS’ Progress in Implementing the Federal Information Technology Acquisition Reform Act 		2016
OIG-13-105 In April 2012, in response to its growing caseload and limited resources, the Watchlisting Cell proposed to decentralize its watchlist nomination process by providing watchlist analyst training and certification to analysts in DHS operational components, and then delegating to the certified watchlist analysts the authority to submit terrorist nominations. We reviewed the Watchlisting Cell to determine whether (1) it is timely, effective, and efficient in submitting DHS nominations; (2) the information provided to external partners is complete, accurate, and timely; (3) establishing the Watchlisting Cell has had an effect on the DHS component nomination process; and (4) the Watchlisting Cell has developed and communicated effective policies and procedures for coordinating nomination submissions within DHS. We also reviewed whether the Watchlisting Cell has developed an effective process for providing nominator certification training, quality assurance, and the oversight necessary for decentralization, and whether it has developed an effective methodology for planning and coordinating its resources.

>DHS’ Watchlisting Cell’s Efforts To Coordinate Departmental Nominations (Redacted) 		2013
OIG-05-22 Disaster Recovery Planning for DHS Information Systems Needs Improvement (Redacted) 2005
OIG-10-69  

>Efficacy of DHS Grant Programs  		2010
OIG-06-39 Enhanced Security Controls Needed for US-VISIT's System Using RFID Technology (Redacted) 2006
OIG-09-92  

>Evaluation of DHS Security Program and Practices for Its Intelligence Systems for Fiscal Year 2009 (Unclassified Summary) 		2009
OIG-20-47 Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2019 2020
OIG-21-55 Since our FY 2020 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices.  We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems.  However, we identified deficiencies in DHS’ protect and recover functions.  We made three recommendations to I&A to address the deficiencies identified, and I&A concurred with all three recommendations.

>Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2020 - Secret 		2021
OIG-04-41 Evaluation of DHS' Information Security Program for Fiscal Year 2004, September 2004 2004
OIG-05-46 Evaluation of DHS' Information Security Program for Fiscal Year 2005 2005
OIG-06-62 Evaluation of DHS' Information Security Program for Fiscal Year 2006 2006
OIG-07-77 Evaluation of DHS' Information Security Program for Fiscal Year 2007 2007
OIG-09-109  

>Evaluation of DHS' Information Security Program for Fiscal Year 2009 (Redacted) 		2009
OIG-15-16 We reviewed Department of Homeland Security’s (DHS) information security program in accordance with the Federal Information Security Management Act of 2002 (FISMA). Our objective was to determine whether DHS’ information security program is adequate, effective, and in compliance with FISMA requirements. DHS has taken steps to improve its information security program. For example, DHS expanded the ongoing authorization program to improve the security of its information systems through a revised risk management approach. Additionally, DHS developed and implemented the Fiscal Year 2014 Information Security Performance Plan, which defines the performance requirements, priorities, and overall goals for the Department. DHS has also taken actions to address the President’s cybersecurity priorities, which include the implementation of trusted internet connections, continuous monitoring of the Department’s information systems, and strong authentication. While these efforts have resulted in some improvements, Components are not consistently following DHS’ policies and procedures to update the system inventory and plan of action and milestones in the Department’s enterprise management systems. Further, Components continue to operate systems without the proper authority.

>Evaluation of DHS' Information Security Program for Fiscal Year 2014 		2015
OIG-16-08 We reviewed the Department of Homeland Security’s (DHS) information security program in accordance with the Federal Information Security Modernization Act of 2014. Our objective was to determine whether DHS’ information security program is adequate, effective, and complies with FISMA requirements. DHS has taken actions to strengthen its information security program. For example, DHS developed and implemented the Fiscal Year 2015 Information Security Performance Plan to define the performance requirements, priorities, and overall goals of the Department. DHS has also taken steps to address the President’s cybersecurity priorities, such as Information Security Continuous Monitoring; Identity, Credential, and Access Management; and anti-phishing and malware defense. Nonetheless, the Department must ensure compliance with information security requirements in other areas.

>Evaluation of DHS' Information Security Program for Fiscal Year 2015 (Revised) 		2016
OIG-17-24 Despite the progress made, Components were not consistently following DHS’ policies and procedures to maintain current or complete information on remediating security weaknesses timely. Components operated 79 unclassified systems with expired authorities to operate.  Further, Components had not consolidated all internet traffic behind the Department’s trusted internet connections and continued to use unsupported operating systems that may expose DHS data to unnecessary risks.  Our review identified deficiencies related to configuration management and continuous monitoring. We made four recommendations to the Chief Information Security Officer.  The Department concurred with all four recommendations.

>Evaluation of DHS' Information Security Program for Fiscal Year 2016 		2017

*NDAA, Pub. L. 117-263, section 5274 Response Received. View responses

Return to top of page