The Government Accountability Office noted that several major acquisition programs at DHS didn’t think the requirement applied to them.
The Department of Homeland Security needs to clarify its cybersecurity reporting policy for its major acquisition programs, particularly as the agency will spend more than $4 billion this fiscal year on its major acquisition programs, according to a watchdog report from late last week.
The Government Accountability Office reviewed 25 of DHS’s major acquisition programs—used to buy products and services to help secure the border, screen travelers and improve disaster responses—and found 18 of the programs met their cost and schedule goals for fiscal year 2022. Additionally, five programs asked for COVID-19 baseline adjustments.
Meanwhile, according to the report, major DHS programs must identify their cybersecurity risks in a memo as they consider cybersecurity throughout the procurement lifecycle. Major acquisition programs are supposed to present a cybersecurity risk recommendation memorandum at acquisition decision events to identify the cybersecurity status and their risk recommendation—high, medium or low. However, GAO noted that, since the requirement was implemented over two years ago, none of the programs that had relevant acquisition events complied with this requirement “because they didn’t think this requirement applied to them.”
Out of the seven examined programs that had relevant acquisition events, one program gave documentation showing DHS waived this requirement. Meanwhile, the six remaining programs either used other documentation, said that the memo was not applicable to the program or that they did not create one.
GAO noted that the memo requirement does not clarify when this requirement can be waived, is not applicable or when or what other documentation could be used instead. Therefore, programs can be unprepared to provide this information when they are required.
As a result, the watchdog urged DHS to clarify this mandate. According to GAO, the lack of clarification and confusion could hinder DHS’s cybersecurity risk assessment and mitigation efforts.
DHS concurred with the recommendation and noted the agency planned to implement the recommendation by March 30, 2024.
The GAO report was originally released in March 2023, but the public version issued last week omits information DHS deemed sensitive. In the sensitive version of the report, GAO made an additional recommendation.