CISA cannot demonstrate how its oversight has improved Dams Sector security and resilience because CISA has not coordinated or tracked its Dams Sector activities, updated overarching national critical infrastructure or Dams Sector plans, and collected and evaluated performance information on Dams Sector activities. Furthermore, we found that CISA does not consistently provide information to FEMA to help ensure its assistance addresses the most pressing needs of the Dams Sector. CISA and FEMA also do not coordinate their flood mapping information. Finally, CISA does not effectively use the Homeland Security Information Network Critical Infrastructure Dams Portal to provide external Dams Sector Stakeholders with critical information. We recommended that CISA update the Dams Sector-Specific Plan, its internal organization structures, and establish performance metrics to determine its impact on the Dams Sector. We also recommended it coordinate with FEMA on its grants and flood mapping systems. Finally, we recommended CISA implement a strategy to use the HSIN-CI Dams portal to its fullest potential. We made five recommendations to update CISA’s Sector-Specific Plan, internal organization structures, and coordination with FEMA that, when implemented, will improve dam security and resilience. CISA concurred with all five recommendations.
Consistent with CDC guidance, most Office of Inspector General employees are currently serving the American people remotely. We are determined to keep interruptions to our operations to a minimum, and we appreciate your patience during this time.
Information and guidance about COVID-19 is available at coronavirus.gov.
- Executive SummaryReport NumberOIG-21-59Issue DateDocument FileDHS AgencyKeywordsFiscal Year2021
Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2020 - SecretExecutive Summary
Since our FY 2020 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ protect and recover functions. We made three recommendations to I&A to address the deficiencies identified, and I&A concurred with all three recommendations.Report NumberOIG-21-55Issue DateDocument FileFiscal Year2021
- Executive Summary
CBP did not always protect MPC apps from cybersecurity threats. This occurred because app version updates were not always scanned for vulnerabilities and CBP did not always identify vulnerabilities detected in scans. CBP also did not complete seven required security and privacy compliance reviews of MPC apps because it did not establish a schedule for the reviews or track and centrally store review documentation. In addition, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a process for a required internal audit. Finally, CBP did not implement Department server configuration requirements for its MPC servers. We made eight recommendations that, when implemented, should improve the security of CBP’s MPC program. CBP concurred with all eight recommendations.Report NumberOIG-21-47Issue DateDocument FileDHS AgencyKeywordsFiscal Year2021
- Executive Summary
We determined DHS had not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) Program. DHS spent more than $180 million between 2013 and 2020 to design and deploy a department-wide continuous monitoring solution but faced setbacks. DHS initially planned to deploy its internal CDM solution by 2017 using a “One DHS” approach that restricted components to a standard set of common tools. We attributed DHS’ limited progress to an unsuccessful initial implementation strategy, significant changes to its deployment approach, and continuing issues with component data collection and integration. As of March 2020, DHS had developed a key element of the program, its internal CDM dashboard. However, the dashboard contained less than half of the required asset management data. As a result, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time. Finally, we identified vulnerabilities on CDM servers and databases. This occurred because DHS did not clearly define patch management responsibilities and had not yet implemented required configuration settings. Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk. We made three recommendations for DHS to update its program plan, address vulnerabilities, and define patch management responsibilitiesReport NumberOIG-21-38Issue DateDocument FileKeywordsFiscal Year2021
- Executive Summary
We determined that DHS needs to improve the collection and management of data across its multiple components to better serve and safeguard the public. The data access, availability, accuracy, completeness, and relevance issues we identified presented numerous obstacles for DHS personnel who did not have essential information they needed for decision making or to effectively and efficiently carry out day-to-day mission operations. Although DHS has improved its information security program and developed plans to improve quality and management of its data, follow through and continued improvement will be essential to address the internal control issues underlying the data deficiencies highlighted in the report. We made no recommendations in the summary report.Report NumberOIG-21-37Issue DateDocument FileFiscal Year2021
DHS Made Limited Progress to Improve Information Sharing under the Cybersecurity Act in Calendar Years 2017 and 2018Executive Summary
The Cybersecurity and Infrastructure Security Agency (CISA) increased the number of Automated Indicator Sharing (AIS) participants as well as the volume of cyber threat indicators it has shared since the program’s inception in 2016. However, CISA made limited progress in improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks. The lack of progress can be attributed to the limited number of AIS participants sharing cyber indicators with CISA, delays in receiving cyber threat intelligence standards, and insufficient staff. To be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training. We made four recommendations to CISA to enhance the program’s overall effectiveness and cyber threat information sharing. CISA concurred with all four recommendations.Report NumberOIG-20-74Issue DateDocument FileFiscal Year2020
- Executive Summary
U.S. Customs and Border Protection (CBP) did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data without CBP’s authorization or knowledge, and compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack. While CBP and DHS took immediate action to mitigate the data breach, we attribute this incident to the subcontractor violating numerous DHS security and privacy protocols for safeguarding sensitive data. Consequently, this incident may damage the public’s trust in the Government’s ability to safeguard biometric data, and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry. We made three recommendations to aid CBP in addressing the vulnerabilities that caused the 2019 data breach, and to better mitigate future incidents through greater oversight of third-party partners. CBP concurred with all three recommendations.Report NumberOIG-20-71Issue DateDocument FileDHS AgencyKeywordsFiscal Year2020
- Executive Summary
Based on our recent and prior audits, inspections, special reviews, and investigations, we consider the most serious management and performance challenges currently facing DHS to be: (1) Managing Programs and Operations Effectively and Efficiently during times of Changes in Leadership, Vacancies, Hiring Difficulties; (2) Coordinating Efforts to Address the Sharp Increase in Migrants Seeking to Enter the United States through our Southern Border; (3) Ensuring Cybersecurity in an Age When Confidentiality, Integrity, and the Availability of Information Technology Are Essential to Mission Operations; (4) Ensuring Proper Financial Planning, Payments, and Internal Controls; and (5) Improving FEMA’s Disaster Response and Recovery Efforts. Addressing and overcoming these challenges requires firm leadership; targeted resources; and a commitment to mastering management fundamentals, data collection and dissemination, cost-benefit/risk analysis, and performance measurement.Report NumberOIG-20-02Issue DateDocument FileKeywordsFiscal Year2020
- Executive Summary
DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.Report NumberOIG-19-60Issue DateDocument FileKeywordsFiscal Year2019
(U) Evaluation of DHS' Compliance with Federal Information Security Modernization Act Requirements for Intelligence Systems for Fiscal Year 2018Executive Summary
We determined that DHS' information security program for Top Secret/Sensitive Compartmented Information intelligence systems is effective this year as the Department achieved “Level 4 – Managed and Measurable” in three of five cybersecurity functions, based on current reporting instructions for intelligence systems. However, we identified deficiencies in DHS’ overall patch management process and the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities.
We made one recommendation to the Office of Intelligence and Analysis and two recommendations to the Cybersecurity and Infrastructure Security Agency to address the deficiencies identified. DHS concurred with all three recommendations.Report NumberOIG-19-34-UNSUMIssue DateDocument FileKeywordsFiscal Year2019