GAO: DHS lacks departmentwide information security

The Homeland Security Department must protect its own information and information systems before it can effectively protect the country’s, the Government Accountability Office said in a report.

The report reads like a twisted version of the old Trident gum commercial: Five out of six DHS systems tested lacked continuity of operations (COOP) plans.

Four out of six lacked remedial action plans or had tested and evaluated their security controls. Three had incomplete risk assessments and two had not finished their information security plans.

“Until DHS addresses these weaknesses and fully implements a comprehensive, departmentwide information security program, its ability to protect the confidentiality, integrity and availability of its information and information systems will be limited,” said Gregory Wilshusen, GAO’s director of information security issues, in the report issued Monday.

To get DHS’ information sharing up to speed, GAO recommended that DHS Secretary Michael Chertoff order Robert West, DHS’ CISO, to develop complete risk assessments and document comprehensive security plans.

Chertoff should also tell West to ensure that all DHS agencies fully test and evaluate their security controls, it read. Finally, West should be required to finish all remedial action plans and COOP plans, it states.

West agreed with the report’s conclusions in a written reply. DHS has already enacted some of the report’s recommendations and is doing or planning to complete the others, he wrote.

DHS has made significant progress toward developing and documenting a strategic plan for information security but has failed to fully implement it, the report reads. West has created new information security managers and officers and has created guidelines for his office and all of DHS to follow, it states. He also created Trusted Agent FISMA, an enterprisewide tool to manage and oversee DHS’ information security, according to the report.

DHS’ Office of the Inspector General, however, found that Trusted Agent FISMA was unreliable, the report states. West wrote that DHS has since added information security verification measures to the system.

The Transportation Security Administration had two deficient systems that lacked effective security tests, remedial action plans and COOP plans, the report says. One of its general support systems also did not have a finished risk assessment, it states.

A major application at U.S. Immigration and Customs Enforcement lacked completed security tests, remedial action plans and COOP plans, the report reads. A general support system at ICE did not have a completed security test, COOP plan or risk assessment, it says.

At the Emergency Preparedness & Response directorate, a general support system had a substandard risk assessment, security plan, remedial action plans and COOP plans, the report states.

Neither ICE nor EP&R had designated funds to fix known problems, the report states.

The report also concludes that the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program, which screens foreign nationals entering and exiting the country to weed out potential terrorists, lacked a completed security plan. The report did not apply the other evaluation criteria to US-VISIT.

DHS has also failed to create a complete and accurate inventory of all its computer systems, the report reads.

The report reviewed several DHS facilities from July 2004 to May 2005. Sen. Joseph Lieberman (D-Conn.), who commissioned the report, said he was displeased with DHS’ lack of progress on such a crucial issue.

“How can the department possibly protect the nation’s critical cyberstructure if it cannot keep its own house in order?” the senator said in a statement. “More than two years after the department was formed, it should have a better grasp on protecting its own systems and information.”

DHS should quickly follow GAO’s suggestions, Lieberman said.