In May 2020, the Deputy Under Secretary for Management formally documented the Department’s risk acceptance to allow the Coast Guard to meet FISMA requirements according to Department of Defense, rather than DHS’ reporting requirements.  The Deputy Under Secretary for Management’s decision adversely affected our ability to evaluate the Department’s enterprise-wide information program under this year’s OIG reporting metrics.  Nonetheless, when evaluating the overall effectiveness of DHS’ information security program for FY 2020 FISMA, our rating does not include the Coast Guard.  DHS’ information security program earned a maturity rating of “Managed and Measurable” (Level 4) in three of five functions.  DHS can further improve the effectiveness of its information security program by ensuring components execute all its policies and procedures.  We made four recommendations in our report, with one to the DHS Chief Information Officer, one to the S&T Chief Information Officer, one to the Secret Service Chief Information Officer, and one to the FEMA Chief Information Officer.  The Department concurred with all four recommendations.

The objective was to determine whether TSA implemented proper procedures to safeguard the secure areas of our Nation’s airports and whether airports, aircraft operators, and contractors were complying with TSA’s security requirements to control access to these areas.

We identified vulnerabilities with various airport access control points and associated access control procedures. We made six recommendations related to standard operating procedures, deployment of new technology, identification of industry best practices, and training.

As a follow-up to our 2017 report on TSA’s Federal Air Marshal Service’s (FAMS) domestic flight operations, we conducted this audit to determine the extent to which FAMS can interdict an improvised explosive device during flight. We identified vulnerabilities with FAMS’ contribution to international flight security. Details related to FAMS operations and flight coverage presented in the report are classified or designated as Sensitive Security Information. We made two recommendations.

We determined that although a complainant alleged there were systemic security challenges in the Office of Intelligence and Analysis (OIA), there were few documented security incidents over the past 5 years, all of which OIA addressed with corrective actions.  Further, OIA has improved the effectiveness of its Field Intelligence Division and the Field Intelligence Officers by hiring qualified, experienced intelligence professionals and implementing clear policies and procedures, but it could enhance officer training.  OIA is also addressing weaknesses in coordination among its watches and perceived delays in intelligence reporting.  We made two recommendations to improve the effectiveness of OIA operations; the Transportation Security Administration (TSA) concurred with both recommendations.