GAO to DHS: Assess How Agencies Implement Cyber Directives

Mott Jordan/

An audit says the Department of Homeland Security needs to do more to ensure agencies carry out binding directives it issues.

In recent years, the Homeland Security Department has taken on an expanded role in securing government agencies and critical infrastructure, issuing binding directives to stakeholders to safeguard federal cybersecurity

Since 2015, DHS had issued eight directives instructing agencies to mitigate critical vulnerabilities and secure government systems. However, a Government Accountability Office audit released Feb. 4 found that—despite the successes of those directives—Homeland Security is not doing enough to ensure stakeholders fully comply with binding directives. In addition, agencies often take longer than the 30-day limit to complete actions mandated through those directives.

“DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion,” the audit states.

GAO’s audit encompassed 12 agencies. In one example, Homeland Security only completed about half of the assessments of agencies’ high-value assets over fiscal 2018 and 2019.

GAO made four recommendations to Homeland Security to improve agency accountability and interagency communication.