DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.
- Executive SummaryReport NumberOIG-19-60Issue DateDocument FileDHS AgencyOversight AreaKeywordsFiscal Year2019
- Executive Summary
We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ overall patch management process and the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities.
We made one recommendation to the Office of Intelligence and Analysis and two recommendations to the Cybersecurity and Infrastructure Security Agency to address the deficiencies identified. DHS concurred with all three recommendations.Report NumberOIG-19-34-UNSUMIssue DateDocument FileDHS AgencyOversight AreaKeywordsFiscal Year2019