recommended reading

IG: DHS Does Not Track Security Training of System Administrator Contractors

A cyber security analyst works in the "watch and warning center" in Idaho Falls, Idaho in 2011.

A cyber security analyst works in the "watch and warning center" in Idaho Falls, Idaho in 2011. // Mark J. Terrill/AP file photo

The Homeland Security Department does not keep tabs on whether contractors that monitor vulnerabilities on federal networks have undergone training, according to a new inspector general audit.

These private sector system administrators support CyberScope, a central reservoir for incoming streams of data summarizing every federal agency's computer security posture. The composite view of threat-levels is intended to help Homeland Security leaders manage cyber risks governmentwide. The account of an inadequate security training program for system administrator contractors at DHS follows the alleged breach of top secret files by a system administrator contractor at the National Security Agency.

Homeland Security does not maintain records on who has taken security awareness and specialized information technology training; nor does the department ensure that all training requirements have been completed, according to auditors. 

"CyberScope contractors may not have received the appropriate skills or knowledge to properly administer and secure the systems against potential cyber threats," Frank Deffer, assistant inspector general for the office of IT audits, wrote in the report. 

He said DHS "cannot guarantee the security of the data collected through CyberScope without ensuring that all people involved understand their roles and responsibilities and are adequately trained to perform them." Inspectors reported similar findings in 2011. 

It is now commonplace at Homeland Security to rely on contractors to do work historically performed by government employees, according to a 2010 Government Accountability Office audit. DHS took over responsibility for governmentwide cybersecurity that same year.

In a writtten response to a draft report, Suzanne Spaulding, acting undersecretary for the department's National Protection and Programs Directorate, wrote that the department is developing "procedural controls for tracking CyberScope administrators to ensure training meets or exceeds applicable" federal requirements.

House Democrats voiced concerns about dispatching so many potentially undertrained contractors to handle sensitive cyber data. 

“With the recent national security leak revelations involving a contractor at NSA, we no longer have to speculate about whether contractors are capable of leaking sensitive information," Rep. Bennie G. Thompson, D-Miss., the minority leader of the Homeland Security Committee, said in a statement. 

On several occasions, DHS officials have indicated they intend to hire more federal workers to carry out cybersecurity responsibilities, and "this timely report makes clear that DHS must address this weakness immediately," he added. “Since we know that DHS has a longstanding overreliance on contractors, it is puzzling that DHS has not taken the solid steps to ensure its contractor workforce gets proper security training.”

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Hospital Breach Affects Thousands of Patients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.