How the Government’s Cyber Agency Rates on Cybersecurity

The Homeland Security Department—the government’s point agency for cybersecurity—fell short of top marks in three of five areas in the annual information security assessment, according to a report released Monday.

The 2017 Federal Information Security Management Act report rates the department’s various cybersecurity capabilities on a scale of 1 through 5, with the lowest score, 1, representing an “ad-hoc” use of information security and the highest being an “optimized” cybersecurity posture.

“Per the FY 2017 reporting instructions, Level 4, ‘managed and measureable,’ represents an effective cybersecurity function,” Homeland Security’s inspector general wrote. “Where an agency achieves Level 4 in the majority of the five cybersecurity functions evaluated, its information security program may be considered effective overall.”

The department fell just short of that target. Of the five categories assessed—identify, protect, detect, respond and recover—Homeland Security achieved Level 4 in two and Level 3 in the remaining three areas.

The department achieved Level 4 cleanly in the incident response category with no additional recommendations from the inspector general. Auditors also gave the department a Level 4 designation for its ability to identify risk areas but qualified that score, as a number of classified and unclassified systems are still running without updated authorities to operate, or ATOs.

As of June 2017, 64 systems were running without security authorizations, including 16 integral to national security and 48 unclassified systems. While problematic, these numbers are down significantly year over year, from 79 unclassified systems operating without ATOs in 2016 and 203 in 2015.

The department has a goal of 100-percent compliance for its high-value systems and 95 percent compliance for lower value assets within each of its component agencies. For high-value systems, the Federal Emergency Management Agency, Immigration and Customs Enforcement, the National Protection and Programs Directorate—which oversees critical governmentwide cybersecurity initiatives—and the Coast Guard all fell short. For non-high-value assets, Homeland Security headquarters, the Federal Law Enforcement Training Center, ICE and NPPD missed the mark.

Level 3—Consistently Implemented

The other three efforts—protection, detection and recovery—are being implemented consistently, if not in a “managed and measureable” or “optimized” way, according to auditors, who gave the department a Level 3 ranking on each.

On the “protect” metric, the department fell short by not “implement[ing] all configuration settings required to protect component systems, continued using unsupported operating systems and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems,” the report reads.

The audit found components were largely in compliance but failed to meet standards for certain security settings, such as disabling anonymous access to shared network drives. Similarly, most components were using approved, up-to-date operating systems.  Some systems at headquarters, the Coast Guard and the Secret Service, however, were still using unsupported versions of Windows Server 2003.

Finally, the inspector general noted a lack of sufficient training opportunities for Homeland Security employees and an insufficient understanding of its workforce’s cyber skills.

“Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions,” the report states. “DHS cited a lack of qualified security engineers from the overall labor market as the foremost reason for components failing to meet its [security authorization] metric.

Homeland Security failed to meet its goal on the “detect” metric, as well. While the department has a number of cybersecurity programs that help other federal agencies, its most widespread is Einstein, an advanced detection system designed to catch and stop known malicious traffic from entering federal networks.

Auditors declined to rate Homeland Security’s internal detection efforts at Level 4 due to a lack of up-to-date software licenses for unclassified systems and reliance on data calls to components to monitor national security systems rather than using enterprise management tools to pull that data from a central location.

The inspector general also rated the department’s “recovery” posture at Level 3, though not because of any specific incidents where the agency failed to rebound from an attack. The audit showed that the department and its components have fleshed out “Reconstruction Plans” in the event of a major incident but many of these plans have not been tested.

“Since the department’s inception in 2003, components have not effectively managed and secured their information systems,” the audit concluded. “Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the [plans of action and milestones] process to mitigate identified security weaknesses and failed to apply security patches timely… Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.”

Ultimately, the inspector general deemed “DHS has work to do to ensure the protection of the information and systems it uses to carry out its mission operations,” and made five recommendations for the chief information security officer to pursue.

Homeland Security officials, including the CISO agreed with the auditors’ findings and said the department was in the process of actively addressing them all.