DHS’s Intelligence Information Security Program is ‘Ineffective,’ According to Watchdog

The Department of Homeland Security fell back in its intelligence systems’ rating under the Federal Information Security Modernization Act for fiscal year 2021, according to a recent summary issued by the agency Office of Inspector General.

Specifically, OIG evaluated the department’s security program for Top Secret/Sensitive Compartmented Information intelligence systems. The evaluation examined DHS' security program and security controls for its enterprise-wide intelligence system Classified Local Area Networks, in accordance with FISMA. 

OIG performed its evaluation between June 2021 and March 2022. Pursuant to which, it issued the “ineffective” rating for the department’s intelligence system’s compliance with FISMA requirements.

Under FISMA reporting requirements, as determined by the Cybersecurity and Infrastructure Security Agency, IGs have discretion to determine the overall effectiveness ratings for their agencies based on five possible maturity levels for each information security category: ad-hoc, defined, consistently implemented, managed and measurable, and optimized.The FISMA requirements are designed to work with the National Institute of Standards and Technology’s framework to improve critical infrastructure cybersecurity. NIST’s framework covers five areas: identify, protect, detect, respond and recover. Last year, the OIG listed the DHS intelligence information security program as “effective” based on a “managed and measurable” classification in three of five functions.

OIG made two recommendations to the department’s Office of Intelligence and Analysis to address the identified issues and the department agreed to the recommendations. 

In its unclassified summary, the DHS did not specify its recommendations nor the specific ways DHS’ system was not in compliance with FISMA.