IG: CISA-Run Monitoring Program Has Not Improved DHS’ Cybersecurity Posture

The Continuous Diagnostics and Mitigation program the Cybersecurity and Infrastructure Security Agency is working to implement across the federal government has improved the cybersecurity posture of some agencies but not that of the Department of Homeland Security, according to an inspector general’s report.

Going back to 2013, CDM arose from Office of Management and Budget guidance instructing federal agencies to manage information security risk on a continuous basis. CISA is responsible for overseeing agencies’ implementation of the guidance and a federal dashboard where agencies feed data collected from sensors on their information technology through their own dashboards to provide central visibility into their systems. In August 2020, the Government Accountability Office concluded that, while incomplete, the program had improved the cybersecurity posture of three agencies: the Federal Aviation Administration, Indian Health Services and Small Business Administration.

But for DHS, where CISA is housed, that was not the case. “The Department of Homeland Security has not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation program,” reads the report issued Tuesday. 

The DHS Office of the Chief Information Security Officer is responsible for all of DHS’s internal CDM activities, including all the component agencies’ data reporting and the department’s own dashboard.  

“As of March 2020, DHS had developed an internal CDM dashboard, but reported less than half of the required asset management data,” the IG wrote.

The report said DHS was still coordinating the collection of the necessary data from its components and would need to update its dashboard to ensure there’s capacity to process it. 

“Until these capabilities are complete, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time,” the report said. 

The IG also found cybersecurity vulnerabilities on the department's CDM servers and databases that were due to “DHS not clearly defining patch management responsibilities and not implementing required configuration settings,” according to the report. 

“Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk,” the IG said.

DHS agreed with the IG’s recommendations to upgrade the dashboard, address the vulnerabilities and define patch management responsibilities. 

The IG requested a formal closeout letter within 30 days of the CISO’s office fully implementing the recommendations.