Information Security
Department of Homeland Security Needs to Fully Implement Its Security Program Gao ID: GAO-05-700 June 17, 2005The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.
DHS has not fully implemented a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets. It has developed and documented departmental policies and procedures that could provide a framework for implementing such a program; however, certain departmental components have not yet fully implemented key information security practices and controls. For example, risk assessments--needed to determine what controls are necessary and what level of resources should be expended on them--were incomplete. Elements required for information system security plans--which would provide a full understanding of existing and planned information security requirements--were missing. Testing and evaluation of security controls--which are needed to determine the effectiveness of information security policies and procedures--were incomplete or not performed. Elements required for remedial action plans--which would identify the resources needed to correct or mitigate known information security weaknesses--were missing, as were elements required for continuity of operations plans to restore critical systems in case of unexpected events. In addition, DHS had not yet fully developed a complete and accurate systems inventory. Shortfalls in executing responsibilities for ensuring compliance with the information security program allowed these weaknesses to occur. Although DHS has an organization that is responsible for overseeing the component implementation of key information security practices and controls, its primary means for doing so--an enterprisewide tool--has not been reliable. Until DHS addresses weaknesses with using the tool and implements a comprehensive, departmentwide information security program, its ability to protect its information and information systems will be limited.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-700, Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program
This is the accessible text file for GAO report number GAO-05-700
entitled 'Information Security: Department of Homeland Security Needs
to Fully Implement Its Security Program' which was released on July 11,
2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Ranking Minority Member, Committee on Homeland Security
and Governmental Affairs, U.S. Senate:
June 2005:
Information Security:
Department of Homeland Security Needs to Fully Implement Its Security
Program:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-700]:
GAO Highlights:
Highlights of GAO-05-700, a report to the Ranking Minority Member,
Committee on Homeland Security and Governmental Affairs, U.S. Senate:
Why GAO Did This Study:
The Homeland Security Act of 2002 mandated the merging of 22 federal
agencies and organizations to create the Department of Homeland
Security (DHS), whose mission, in part, is to protect our homeland from
threats and attacks. DHS relies on a variety of computerized
information systems to support its operations. GAO was asked to review
DHS‘s information security program. In response, GAO determined whether
DHS had developed, documented, and implemented a comprehensive,
departmentwide information security program.
What GAO Found:
DHS has not fully implemented a comprehensive, departmentwide
information security program to protect the information and information
systems that support its operations and assets. It has developed and
documented departmental policies and procedures that could provide a
framework for implementing such a program; however, certain
departmental components have not yet fully implemented key information
security practices and controls. For example, risk assessments”needed
to determine what controls are necessary and what level of resources
should be expended on them”were incomplete. Elements required for
information system security plans”which would provide a full
understanding of existing and planned information security
requirements”were missing. Testing and evaluation of security
controls”which are needed to determine the effectiveness of information
security policies and procedures”were incomplete or not performed.
Elements required for remedial action plans”which would identify the
resources needed to correct or mitigate known information security
weaknesses”were missing, as were elements required for continuity of
operations plans to restore critical systems in case of unexpected
events. The table below indicates with an ’X“ where GAO found
weaknesses. In addition, DHS had not yet fully developed a complete and
accurate systems inventory.
Weaknesses in Information Security Practices and Controls of Selected
DHS Components
DHS System: Major application;
DHS component: US-VISIT;
Risk assessment: N/A, Security plan[A], Security test and evaluation:
N/A, Remedial action plans: N/A, Continuity of operations: N/A.
DHS System: Major application;
DHS component: ICE Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: Major application;
DHS component: TSA Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: General support system;
DHS component: ICE;
Risk assessment, Security test and evaluation, Continuity of
operations.
DHS System: General support system;
DHS component: TSA;
Risk assessment, Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: General support system;
DHS component: EP&R;
Risk assessment, Security plan, Remedial action plans, Continuity of
operations.
Sources: GAO analysis of DHS information for United States Visitor and
Immigrant Status Indicator Technology (US-VISIT), Immigration and
Customs Enforcement (ICE), Transportation Security Administration
(TSA), and Emergency Preparedness and Response (EP&R).
[A] For US-VISIT, GAO reviewed only the security plan.
[End of table]
Shortfalls in executing responsibilities for ensuring compliance with
the information security program allowed these weaknesses to occur.
Although DHS has an organization that is responsible for overseeing the
component implementation of key information security practices and
controls, its primary means for doing so”an enterprisewide tool”has not
been reliable. Until DHS addresses weaknesses with using the tool and
implements a comprehensive, departmentwide information security
program, its ability to protect its information and information systems
will be limited.
What GAO Recommends:
To assist DHS in fully implementing its program, GAO is making
recommendations to the Secretary of DHS to implement key information
security practices and controls and to establish milestones for
verifying the department‘s reported performance data. In providing
written comments on a draft of this report, DHS generally agreed with
the contents of the report and described actions recently completed,
ongoing, or planned to implement its program.
www.gao.gov/cgi-bin/getrpt?GAO-05-700.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Wilshusen at 202-
512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Department of Homeland Security's Mission and Organization:
DHS Has Developed and Documented an Information Security Program, but
Weaknesses in Implementation Remain:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
Table:
Table 1: Weaknesses in DHS Selected Components' Information Security
Practices and Controls:
Figure:
Figure 1: Overview of the Department of Homeland Security's
Organizational Structure:
Abbreviations:
CIO: Chief Information Officer:
CISO: Chief Information Security Officer:
DHS: Department of Homeland Security:
FISMA: Federal Information Security Management Act:
IT: information technology:
NIST: National Institute of Standards and Technology:
OIG: Office of the Inspector General:
OMB: Office of Management and Budget:
US-VISIT: United States Visitor and Immigrant Status Indicator
Technology:
Letter June 17, 2005:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
Dear Senator Lieberman:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission. It is especially important for government agencies, where
maintaining the public's trust is essential. Federal agencies face
increasing security risks from viruses, hackers, and others who seek to
disrupt federal operations or obtain sensitive information that is
stored in federal computers. In our reports to Congress since 1997--
most recently in January 2005[Footnote 1]--we have identified
information security as a governmentwide high-risk issue.
Responding to current and potential threats to homeland security is one
of the federal government's most significant challenges. To address
this challenge, the Homeland Security Act of 2002 (Pub. L. No. 107-296)
mandated the merger of 22 federal agencies and organizations with
homeland security-related missions to create the Department of Homeland
Security (DHS). Since it became operational in March 2003, DHS has not
only faced the challenge of protecting the homeland, but also with
transforming this collection of diverse entities into a single new
cabinet-level department. In order to meet this challenge, it is
crucial that DHS establish an effective information security program to
protect the information and information systems that support its
operations and assets.
In response to your request, our objective was to determine whether DHS
had developed, documented, and implemented a comprehensive,
departmentwide information security program. To accomplish this
objective, we reviewed pertinent information security policies,
procedures and practices in place at the department and its component
organizations from information system security managers and other key
officials. Our review of DHS's information security program was based
in part, on the requirements of the Federal Information Security
Management Act of 2002 (FISMA)[Footnote 2] and relevant Office of
Management and Budget (OMB) policies[Footnote 3] and National Institute
of Standards and Technology (NIST) guidance related to performing risk
assessments, developing information security plans, testing and
evaluating security controls, documenting remedial action plans, and
documenting and testing continuity of operations plans. Details on our
scope and methodology are included in appendix I.
We performed our review at DHS facilities in the Washington, D.C.,
metropolitan area, Denver, Colorado, and at our headquarters in
Washington, D.C., from July 2004 through May 2005, in accordance with
generally accepted government auditing standards.
Results in Brief:
DHS has not fully effectively implemented a comprehensive,
departmentwide information security program to protect the information
and information systems that support its operations and assets. It has
developed and documented departmental policies and procedures that
could provide a framework for implementing a departmentwide information
security program; however, certain departmental components have not yet
fully implemented key information security practices and controls. For
example, components' weaknesses in implementing the program included
incomplete risk assessments for determining the required controls and
the level of resources that should be expended on them; missing
required elements from information system security plans for providing
a full understanding of the existing and planned information security
requirements; incomplete or nonexistent test and evaluation of security
controls for determining the effectiveness of information security
policies and procedures; missing required elements from remedial action
plans for identifying the resources needed to correct or mitigate
identified information security weaknesses; and incomplete, nonexistent
or untested continuity of operations plans for restoring critical
systems in the case of unexpected events. In addition, DHS had not yet
fully developed a complete and accurate systems inventory.
Shortfalls in executing the responsibilities for ensuring compliance
with the departmentwide information security program allowed the
weaknesses that we identified to occur. Although the Chief Information
Security Officer (CISO) has responsibility for overseeing DHS
components' compliance with key information security practices and
controls, the primary means for doing so--an enterprise management tool
known as Trusted Agent FISMA--has not been reliable. The DHS Office of
the Inspector General (OIG) identified weaknesses with this tool that
make it unreliable for use in overseeing the components' reported
performance data on their compliance with key information security
activities. Specifically, the OIG reported that the data are not
comprehensively verified, there is no audit trail capability, material
weaknesses are not consistently reported or linked to plans of actions
and milestones, and plans of actions and milestones that have been
identified and documented are not current. Until DHS addresses these
weaknesses and fully implements a comprehensive, departmentwide
information security program, its ability to protect the
confidentiality, integrity and availability of its information and
information systems will be limited.
To assist DHS in fully implementing its program, we are making
recommendations to the Secretary of DHS to fully implement key
information security practices and controls and to establish milestones
for developing a comprehensive information systems inventory and for
verifying the department's reported performance data. In providing
written comments on a draft of this report, DHS generally agreed with
the contents of the report and described actions to implement its
security program.
Background:
To address the challenge of responding to current and potential threats
to homeland security--one of the federal government's most significant
challenges--Congress passed, and the President signed, the Homeland
Security Act of 2002.[Footnote 4] This act mandated the merger of 22
federal agencies and organizations into DHS. Not since the creation of
the Department of Defense in 1947 has the federal government undertaken
a transformation of this magnitude. In March 2003, DHS assumed
operational control of about 209,000 civilian and military positions
from these 22 federal agencies and organizations. Each of these
agencies and organizations brought with it management challenges,
distinct missions, unique information technology infrastructures and
systems, and its own policies and procedures. Because of the importance
of the department's operations and the challenges associated with
creating the federal government's third largest department, we
designated the implementation and transformation of DHS as a high-risk
area in January 2003.[Footnote 5]
Department of Homeland Security's Mission and Organization:
DHS's mission, in part, is to prevent and deter terrorist attacks
within the United States,[Footnote 6] reduce the vulnerability of the
United States to terrorism, and to minimize the damage, and assist in
the recovery, from terrorist attacks that do occur.[Footnote 7] This is
an exceedingly complex mission that requires coordinated and focused
effort from the federal government, state and local governments, the
private sector, and the American people. The Department of Homeland
Security Appropriations Act of 2005,[Footnote 8] provided $28.9 billion
in net discretionary spending for DHS to carry out its mission.
To accomplish its mission, the Homeland Security Act of 2002
established five under secretaries with responsibilities over
directorates for management, science and technology, information
analysis and infrastructure protection, border and transportation
security, and emergency preparedness.[Footnote 9] Each directorate is
responsible for its specific homeland security mission area. DHS
aligned the 22 federal agencies and organizations into 13 major agency
components[Footnote 10] (see fig. 1). The 13 components and their
missions:
* Office of Management--responsible for such things as the budget,
appropriations, expenditure of funds, accounting and finance,
procurement, and information technology.
* Science and Technology--serve as the primary research and development
arm of DHS with a focus on catastrophic terrorism--threats to the
security of our homeland that could result in large-scale loss of life
and major economic impact.
* Transportation Security Administration--protect the nation's
transportation systems by ensuring the freedom of movement for people
and commerce.
* Customs and Border Protection--manage, control, and protect the
nation's borders at and between the official ports of entry.
* Immigration and Customs Enforcement--prevent acts of terrorism by
targeting the people, money, and materials that support terrorist and
criminal activities. It is the largest investigative arm of DHS.
* Federal Law Enforcement Training Center--prepare federal, state,
local, and international law enforcement professionals to fulfill their
responsibilities safely and proficiently, ensuring that training is
accomplished in the most cost-effective manner.
* Emergency Preparedness and Response--ensure that our nation is
prepared for incidents--whether natural disasters or terrorist
assaults--and oversees the federal government's national response and
recovery strategy.
* Information Analysis and Infrastructure Protection--help deter,
prevent, and mitigate acts of terrorism by assessing vulnerabilities in
the context of continuously changing threats.
* Citizen and Immigration Services--promote national security,
eliminate immigration case backlogs, improves customer services, and
provide administrative services such as immigrant and nonimmigrant
sponsorship, work authorization and other permits, and naturalization
of qualified applicants for U.S. citizenship.
* Office of the Inspector General (OIG)--serve as an independent and
objective inspection, audit, and investigative body to promote
effectiveness, efficiency, and economy in the DHS's programs and
operations, and to prevent and detect fraud, abuse, mismanagement, and
waste in such programs and operations.
* U.S. Coast Guard--protect the public, the environment, and U.S.
economic interests in the nation's ports and waterways, along the
coast, on international waters, or in any maritime region, as required
to support national security.
* U.S. Secret Service--protect the President and our nation's leaders,
as well as our country's financial and critical infrastructures.
* United States Visitor and Immigrant Status Indicator Technology (US-
VISIT)--a DHS program intended to collect, maintain, and share
information on foreign nationals through Immigration and Customs
Enforcement and Customs and Border Protection systems in order to
expedite the arrival and departure of legitimate travelers, while
making it more difficult for those intending to do harm to our nation.
Figure 1: Overview of the Department of Homeland Security's
Organizational Structure:
[See PDF for image]
[End of figure]
Within the Office of the Under Secretary Management is the Office of
the Chief Information Officer (CIO). Under the authorities of the
Clinger-Cohen Act of 1996,[Footnote 11] FISMA, and DHS management
directives, the DHS CIO is responsible for ensuring compliance with
federal information security requirements and reporting annually to the
DHS Secretary on the effectiveness of the department's information
security program. The CIO designated the CISO, under the authorities of
FISMA,[Footnote 12] to carry out specific information security
responsibilities that include:
* developing and maintaining a departmentwide information security
program, as required by FISMA;
* developing departmental information security policies and procedures
to address the requirements of FISMA;
* providing the direction and guidance necessary to ensure that
information security throughout the department is compliant with
federal information security requirements and policies; and:
* advising the CIO on the status and issues involving security aspects
of the departmentwide information security program.
In addition, the CISO is responsible for oversight functions such as
those required to ensure that DHS has departmentwide, repeatable, and
robust processes for meeting federal information security requirements
and that the components accurately assess their security postures.
Information system security managers at each of the components are
expected to assist the CISO in carrying out its oversight functions.
Security managers have the role of maintaining the confidentiality,
integrity, and availability of the DHS programs and systems that
support the department's missions and operations. They are responsible
for providing the link between the departmentwide information security
program and the components. Security managers are also responsible for
ensuring that the information system security officers and program
officials at their respective components are in compliance with federal
information security requirements and policies.
Information system security officers serve as the focal point for
information security activities at the system level in each DHS
component. Among other things, security officers have the
responsibility for ensuring that appropriate steps are taken to
implement information security requirements for information systems
throughout their life cycle. Security managers directly report to the
CIO at their respective component and security officers directly report
to their program officials, who directly report to their respective
component heads. Program officials are required to implement
information security controls and manage risk for information assets
pertaining to their business need.
DHS Uses a Variety of Systems to Support Its Mission Operations:
The department uses a variety of major applications and general support
systems to support its operations. A major application is one that
requires special attention due to the risk and magnitude of harm
resulting from the loss, misuse, or unauthorized access to or
modification of the information in the application. A general support
system is an interconnected set of information resources under the same
direct management control that shares common functionality. It normally
includes hardware, software, information, data, applications,
communications and people and can be, for example, a local area network
or communications network.
Many of these applications and systems serve specific requirements
unique to individual component's missions and result in
interoperability issues, data management concerns, and incompatible
environments or duplicative/inefficient processes. As noted in DHS's
March 2004 Information Resource Management Strategic Plan, DHS's CIO
has established the goal of forming one network and one information
technology infrastructure to facilitate information sharing within the
department and among DHS and external federal, state, and local
agencies.
Information Security is Critical for Agencies to Effectively Accomplish
Their Missions:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission. It is especially important for government agencies, where
maintaining the public's trust is essential. The dramatic expansion in
computer interconnectivity and the rapid increase in the use of the
Internet are changing the way our government, the nation, and much of
the world communicate and conduct business. Without proper safeguards,
they also pose enormous risks that make it easier for individuals and
groups with malicious intent to intrude into inadequately protected
systems and use such access to obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against other computer
systems and networks.
Protecting the computer systems that support critical operations and
infrastructures has never been more important because of the concern
about attacks from individuals and groups, including terrorists. These
concerns are well-founded for a number of reasons, including the
dramatic increase in reports of security incidents, the ease of
obtaining and using hacking tools, the steady advance in the
sophistication and effectiveness of attack technologies, and the dire
warnings of new and more destructive attacks to come.
Computer-supported federal operations are likewise at risk. Our
previous reports,[Footnote 13] and those of agency inspectors general,
describe persistent information security weaknesses that place a
variety of critical federal operations, including DHS, at risk of
disruption, fraud, and inappropriate disclosure.
FISMA Authorized and Strengthened Information Security Requirements:
Enacted into law on December 17, 2002, as Title III of the E-Government
Act of 2002, FISMA authorized and strengthened information security
program, evaluation, and reporting requirements. FISMA assigns specific
responsibilities to agency heads, chief information officers, and
Inspectors General (IG). It assigns responsibilities to the OMB as
well; these include developing and overseeing the implementation of
policies, principles, standards, and guidelines for information
security; reviewing agency information security programs at least
annually; and approving or disapproving these programs.
FISMA requires each agency to develop, document, and implement a
departmentwide information security program. This program should
establish security measures for the information and information systems
that support the operations and assets of the agency--including those
provided or managed by another agency, a contractor, or another source.
This program is to include:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, modification,
disruption, or destruction of information or information systems;
* risk-based policies and procedures that cost effectively reduce
information security risks to an acceptable level and ensure that
information security is addressed throughout the life cycle of each
information system;
* subordinate plans for providing adequate information security for
networks, facilities, and systems or groups of information systems;
* periodic testing and evaluation of the effectiveness of the agency's
information security policies, procedures, and practices;
* a process for planning, implementing, evaluating, and documenting
remedial actions that are taken to address any deficiencies in the
agency's information security policies, procedures, and practices; and:
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
FISMA also establishes a requirement that each agency develops,
maintains, and annually updates an inventory of major information
systems that the agency operates or that are under its control. Among
other things, this inventory is to identify the interfaces between each
system and all other systems or networks with which it communicates,
including those that are not operated by, or under the control of, the
agency.
Each agency is also required to undergo an annual, independent
evaluation of its information security program and practices, including
control testing and compliance assessment. Evaluations of nonnational
security systems are to be performed by the agency's IG or by an
independent external auditor; evaluations related to national security
systems are to be performed only by an entity designated by the agency
head. Agencies are to report annually to OMB on the results of their
independent evaluations. OMB then summarizes the results of the
evaluations in a report to selected congressional committees.
Other major provisions require NIST to develop, for systems other than
national security systems, (1) standards to be used by all agencies to
categorize their information and information systems based on the
objectives of providing appropriate levels of information security
according to a range of risk levels, (2) guidelines recommending the
types of information and information systems to be included in each
category, and (3) minimum information security requirements for
information and information systems in each category. NIST must also
develop (1) a definition of and guidelines concerning the detection and
handling of information security incidents and (2) guidelines developed
in coordination with the National Security Agency for identifying an
information system as a national security system.
DHS Has Developed and Documented an Information Security Program, but
Weaknesses in Implementation Remain:
Since DHS became operational in March 2003, the CISO has developed and
documented departmental policies and procedures that could provide a
framework for implementing an agencywide information security program;
however, certain DHS components had not yet fully implemented key
information security practices and controls, as required by the
program. The CISO has taken several actions to develop and document a
departmentwide information security program. These actions include:
* development, documentation, and dissemination of DHS information
security policies and procedures, strategic program plans, risk
management plans, and a management directive and handbook for the
components' use in implementing the requirements of the program;
* establishment of Information System Security Managers and Information
System Security Officers positions to implement DHS's information
security program departmentwide;
* documentation and issuance of specific guides to assist security
managers and security officers in aligning their individual components'
information security programs with the department's program;
* development of Trusted Agent FISMA and a digital dashboard as tools
to aggregate and report component and department level data for
enterprise management and oversight of the departmentwide information
security program; Trusted Agent FISMA is an enterprise compliance and
oversight tool that manages the collection and reporting of the
components' information associated with key information security
practices and controls, and the digital dashboard aggregates the data
collected in Trusted Agent FISMA and is used as a visual tool using a
traffic light display to gauge the progress of the departmentwide
information security program; and:
* development and documentation of a departmentwide systems inventory
methodology that is designed to be used to develop, maintain, and
annually update an inventory of information systems operated by the
department or under its control.
In addition, as part of the department's efforts to develop and
document a departmentwide information security program, the CISO
finalized the Information Security Program Strategic Plan in April
2004, which provides a framework for establishing a unified,
departmentwide information security program.
Implementation Weaknesses Place DHS's Operations and Assets at Risk:
Although the CISO has made significant progress in developing and
documenting a departmentwide information security program, certain DHS
components have not yet fully implemented key information security
practices and controls as required by the program. We identified
weaknesses in information security documentation for the three major
applications and three general support systems that we selected for
review that place DHS's operations and assets at risk. Among other
things, DHS's program requires the components to maintain information
security documentation in accordance with FISMA requirements, OMB
policies, and applicable NIST guidance. However, we identified that
risk assessments were not complete, security plans lacked required
elements, test and evaluation of security controls were either not
comprehensive or not performed, plans of action and milestones lacked
required elements, and continuity of operations plans were not
complete, lacked required elements, or had not been tested. In
addition, DHS had not yet fully developed a complete and accurate
information systems inventory. As a result of these weaknesses, DHS's
ability to protect the confidentiality, integrity, and availability of
its information and information systems was limited.
Table 1 indicates with an "X" where we found weaknesses in selected
components' information security practices and controls.
Table 1: Weaknesses in DHS Selected Components' Information Security
Practices and Controls:
DHS System: Major application;
DHS component: US-VISIT;
Risk assessment: N/A, Security plan[A], Security test and evaluation:
N/A, Remedial action plans: N/A, Continuity of operations: N/A.
DHS System: Major application;
DHS component: ICE Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: Major application;
DHS component: TSA Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: General support system;
DHS component: ICE;
Risk assessment, Security test and evaluation, Continuity of
operations.
DHS System: General support system;
DHS component: TSA;
Risk assessment, Security test and evaluation, Remedial action plans,
Continuity of operations.
DHS System: General support system;
DHS component: EP&R;
Risk assessment, Security plan, Remedial action plans, Continuity of
operations.
Source: GAO analysis of information security documentation for United
States and Immigrant Status Indicator Technology (US-VISIT),
Immigration and Customs Enforcement (ICE), Transportation Security
Administration (TSA), and Emergency Preparedness and Response (EP&R)
systems.
[A] For each system, we obtained and reviewed all documentation
contained in the certification and accreditation package--with the
exception of US-VISIT--in this case, we reviewed only the security
plan.
[End of table]
Risk Assessments:
Identifying and assessing information security risks are essential
steps in determining what controls are required and what level of
resources should be expended on controls. Moreover, by increasing
awareness of risks, these assessments generate support for the policies
and controls that have been adopted, which helps ensure that these
policies and controls operate as intended. FISMA requires agency's
information security programs to include periodic assessments of the
risk and magnitude of the harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or destruction of
information and information systems that support the operations and
assets of the agency.
Risk assessments for three of the five systems were not complete. For
example, two general support systems--one at Transportation Security
Administration and one at Immigration and Customs Enforcement--had risk
assessment reports that were in draft and incomplete. In addition to
the weaknesses we identified, the OIG, as part of its fiscal year 2004
FISMA evaluation, identified that risk assessments for selected DHS
systems that they reviewed were not current. Unless DHS performs
periodic risk assessments of its information systems, it will not have
assurance that appropriate controls over potential threats have been
identified to reduce or eliminate the associated risk.
Security Plans:
The purpose of an information system security plan is to provide an
overview of the security requirements of the system and describe the
controls that are in place or planned for meeting those requirements.
The information security plan also delineates the responsibilities and
expected behavior of all individuals who access the system. The
information security plan can be viewed as documentation of the
structured process of planning adequate, cost-effective security
protection for a system and should form the basis for the system
authorization, supplemented by more specific studies as needed.
According to NIST guidance, security plans should include all
interconnected systems (including the Internet) and interaction among
systems in regard to the authorization for the connection to other
systems or the sharing of information. Also according to NIST guidance,
security plans should include rules of behavior and reflect input from
various individuals who have responsibility for the system, including
information system owners. In addition, the security plans require
periodic reviews, modifications, and milestone or completion dates for
planned controls.
The information security plans for two of the six systems we reviewed
lacked required elements. Specifically, the information security plan
for a US-VISIT major application did not include authorizations for
interconnected systems or the sharing of information for primary and
secondary systems and for other infrastructures. In addition, the
Internet was not included in the list of interconnected systems.
Further, rules of behavior, another required element for security
plans, did not cover all pertinent elements such as work at home, dial-
in access, connection to the Internet, use of copyrighted works,
unofficial use of government equipment, the assignment and limitation
of system privileges, and individual accountability. The information
security plan for the general support system at the Emergency
Preparedness and Response directorate did not identify a designated
information system owner or procedures for reviewing the information
security plan and following up on planned controls. The OIG, as part of
its fiscal year 2004 FISMA evaluation, found that security plans for
the DHS systems that it had selected for review had either not been
updated or not approved. As a result of these weaknesses, DHS does not
have assurance that its information systems are adequately protected.
Testing and Evaluation:
Another key element of an information security program is periodic
testing and evaluation of the effectiveness of information security
policies, procedures, and practices. FISMA requires that the frequency
with which an organization should conduct testing and evaluation will
depend on the level of risk. This testing and evaluation should be
conducted at least annually and include testing of management,
operational, and technical controls of every system identified in the
agency's information systems inventory. Management control testing, for
example, includes integration testing, which occurs in the program's
actual operating environment and tests such things as connectivity with
other systems and networks. Periodically testing and evaluating the
effectiveness of security policies and controls is a fundamental
activity that allows an agency to manage its information security risks
cost-effectively, rather than reacting to individual problems ad hoc
only after a violation has been detected or an audit finding has been
reported. Such testing and evaluation helps provide a more complete
picture of agencies' security postures.
DHS did not fully test and evaluate the security controls of four of
the five major systems we reviewed. For example, the Transportation
Security Administration did not test and evaluate security controls and
policies for a major application and general support system. Further,
Immigration and Customs Enforcement did not have final test and
evaluation reports for a major application and general support system.
Although we did not obtain the test and evaluation report for US-VISIT,
the information security plan identified that comprehensive testing had
not occurred for one major application. Specifically, the application
owner did not conduct systems integration testing in the program's
actual operating environment to test such things as connectivity with
other systems and networks. In its fiscal year 2004 FISMA report, DHS
identified that 24 percent of its systems had not undergone test and
evaluation. Without adequately testing and evaluating systems, the
department cannot be assured that security controls are in place and
functioning correctly to protect its information and information
systems.
Remedial Action Plans:
FISMA requires each agency to develop a process for planning,
implementing, evaluating, and documenting remedial action plans,
referred to as plans of action and milestones by OMB, to address any
deficiencies in the information security policies, procedures, and
practices. The CIO is to manage the process for the agencies and be
regularly updated by program officials on their progress in
implementing remedial actions. This process allows both the CIO and the
OIG to monitor departmentwide progress, identify problems, and provide
accurate reporting. In its guidance for annual reporting, OMB asks the
agency IGs to report on the status of the plans of action and
milestones at their agencies. IGs were asked to evaluate the process
based on several criteria, including whether systems plans are tied
directly to the system budget request through the information
technology business case, as required by OMB.
For four of the five systems that we reviewed, program officials either
did not identify any resources in their plans of action and milestones
submissions, as required by OMB, to correct or mitigate identified
information security weaknesses or had not prepared plans of action and
milestones. As part of its fiscal year 2004 FISMA evaluation, the OIG
reported that DHS's plans of action and milestones process was not
adequate. Specifically, the estimated funding necessary to correct or
mitigate information security weaknesses was not identified in the
components' plans of action and milestones submissions, system-level
plans of action and milestones were not linked to individual
components' budget submissions, and not all of the components were
capturing information security weaknesses from all sources for
reporting on their plans of action and milestones. We found that a
major application at Immigration and Customs Enforcement and a general
support system at Emergency Preparedness and Response had not allocated
any funds to correct specifically identified weaknesses. Although some
actions did not have an associated cost, there were instances where it
was apparent that costs would be incurred for the corrective action.
Further, the Transportation Security Administration did not prepare
plans of action and milestones for information security weaknesses
associated with a major application and general support system. As a
result, DHS does not have assurance that all information security
weaknesses have been reported and that corrective actions will
appropriately be taken to address the weaknesses.
Continuity of Operations:
Continuity of operations plans provide specific instructions for
restoring critical systems, including such elements as arrangement for
alternative processing facilities in case the usual facilities are
significantly damaged or cannot be accessed due to unexpected events.
These events may include such things as temporary power failure,
accidental loss of files, or a major disaster. It is important that
these plans be clearly documented, communicated to potentially affected
staff, and updated to reflect current operations. According to NIST
guidance, continuity planning includes establishing thorough plans,
procedures, and technical measures that can enable a system to be
recovered quickly and effectively following a service disruption or
disaster. Further, the testing of continuity of operations plans is
essential to determining whether plans will function as intended in an
emergency situation.
For all five of the continuity of operations plans reviewed, program
officials either did not include all information necessary to restore
operations in the event of a disaster or have a documented plan. For
example, the continuity of operations plans for an Immigration and
Customs Enforcement general support system and a major application
lacked critical information such as the activities necessary to return
to normal operations, personnel contact information, locations of
associated telecommunications infrastructure, location of off-site
storage for backup media, and vendor contact information. Further,
program officials did not have continuity of operations plans for a
Transportation Security Administration major application and general
support system. The OIG also reported deficiencies in DHS's continuity
of operations plans. Specifically, the OIG performed a quality review
of selected certification and accreditation packages and found
instances where continuity of operations plans did not meet all of the
applicable requirements. Further, the OIG identified instances in which
systems were accredited even though continuity of operations plans had
not been developed or tested. Moreover, in its FISMA report to OMB for
fiscal year 2004, DHS had reported that 79 percent of its systems did
not have a tested continuity of operations plan.As a result, the
department has limited assurance that it will be able to protect its
critical and sensitive information and information systems and resume
operations promptly when unexpected events or unplanned interruptions
occur.
DHS Does Not Have a Complete and Accurate Information Systems
Inventory:
FISMA requires agencies to develop, maintain, and annually update an
inventory of information systems that are either operated by the agency
or under its control. The inventory is to identify the interfaces
between each system and all the other systems or networks with which it
communicates, including those that are not operated by or under the
control of DHS.
In December 2004, the DHS CISO approved a departmentwide information
systems inventory methodology that its contractor developed and has
begun implementing it across the department. Our assessment of the
methodology determined that it is appropriately based on the
requirements of FISMA, OMB policies, and applicable NIST guidance and
standards and, if fully implemented, could provide the department with
a comprehensive inventory of its information systems.
As of March 2005, DHS has completed the information systems inventory
for the OIG and the Transportation Security Administration and is
completing its efforts to implement the methodology at the Immigration
and Customs Enforcement. In response to the OIG's fiscal year 2004
FISMA report, which reiterated its prior year recommendation that DHS
develop a complete and accurate systems inventory, DHS acknowledged
that it needs a complete and accurate systems inventory for all of its
components in order to effectively manage its program and ensure
departmentwide implementation. Subsequent to that report, DHS
established a milestone of August 5, 2005, for developing a complete
DHS systems inventory. Until DHS has a complete and accurate systems
inventory, DHS will be inhibited in its ability to oversee and manage
the information and information systems that support the operations and
assets of the agency.
Management Oversight Needs Improvement:
Shortfalls in executing the responsibilities for ensuring compliance
with the departmentwide information security program allowed the
weaknesses that we identified to occur. The CISO has responsibility for
overseeing DHS components' compliance with key information security
practices and controls. To fulfill this responsibility, the CISO
developed and implemented Trusted Agent FISMA[Footnote 14] in order to
aggregate the component's reported performance data that arise from
annual self-assessments and OMB metrics for key information security
activities, such as number of significant deficiencies and whether
remedial action plans to address the deficiencies had been developed,
and the number of system continuity of operations plans documented and
tested. Security officers at the components are responsible for
updating the tool with data that arise from annual self-assessments, as
well as from other system-level security metrics. The security managers
have the responsibility for ensuring that all required metrics data are
updated. These data are aggregated in the digital dashboard[Footnote
15] and reported to OMB for the department as a whole.
However, the OIG identified that DHS could not rely on the accuracy and
completeness of the data contained in Trusted Agent FISMA, which
contributed to the OIG's overall recommendation that DHS continue to
consider its information security program a significant deficiency for
fiscal year 2004. Examples of the weaknesses that they identified
include:
* significant weaknesses were not consistently reported or linked to
plans of action and milestones;
* plans of action and milestones that have been identified and
documented included some that were neither current nor updated
periodically;
* some data fields, such as the "Scheduled Completion Date," for plans
of action and milestones that could be arbitrarily revised by the
components with no audit trail to monitor such activity; and:
* information entered by the components was not verified.
Unless the data being collected and tracked from the components are
reliable, the CISO has no assurance that the components' metrics
accurately reflect the status of their implementation of key
information security activities. Having reliable metrics on key
activities such as those we identified as having weaknesses--risk
assessments, security plans, security test and evaluation, remedial
action plans, and continuity of operations plans--is critical.
According to DHS's information security policies and procedures, the
CISO is to use these metrics to validate the efficacy of the program,
identify gaps between reported and actual performance data, and help
focus attention on presidential, congressional, or department
priorities. In response to the OIG's FISMA evaluation, the CIO stated
that the department had recently initiated a project to review and
verify the metrics data. However, the CIO has not established a
milestone for completing this project. Implementing a process for
verifying the reported data could help improve the quality of the
information used by the CISO to oversee the components' compliance with
the departmentwide information security program.
Conclusions:
DHS has not fully implemented a comprehensive, departmentwide
information security program, thereby jeopardizing the confidentiality,
integrity, and availability of the information and information systems
that it relies on to accomplish its mission. DHS's efforts to date in
developing and documenting such a program has merit. However, ensuring
that the components implement key information security practices and
controls, especially with a department as diverse as DHS, requires
effective management oversight and monitoring. Having a complete and
accurate information systems inventory and a process in place to verify
the components' data on their implementation of the key information
security practices and controls is needed for DHS to effectively
implement its information security program. However, until it does so,
DHS will have limited assurance that its operations and assets are
adequately protected.
Recommendations for Executive Action:
To help fully implement DHS's departmentwide information security
program, we recommend that the Secretary of DHS direct the Chief
Information Officer to:
* instruct the CISO and component agencies to fully implement the
following key information security practices and controls by:
* developing complete risk assessments;
* documenting comprehensive security plans;
* fully performing testing and evaluation of security controls;
* reporting complete remedial action plans; and:
* developing, documenting, and testing continuity of operations plans.
* establish milestones for completing verification of the components'
reported performance data in Trusted Agent FISMA.
Agency Comments:
In providing written comments on a draft of this report, DHS's Chief
Information Security Officer generally agreed with the contents of the
report and described recently completed, ongoing or planned efforts to
implement the department's information security program. For example,
the Chief Information Security Officer stated that the agency has
efforts under way to improve processes for developing complete risk
assessments; documenting and updating security plans; verifying the
results of annual testing and evaluation of security controls;
reporting complete remedial action plans; and developing, documenting,
and testing continuity of operations plans. The Chief Information
Security Officer also stated that enhancements have been made to the
Trusted Agent FISMA tool in order to improve the reliability of the
components' reported performance data. DHS's comments are reprinted in
appendix II of this report.
As agreed with your offices, unless you publicly announce its contents
earlier, we will not distribute this report further until 30 days from
the report date. At that time, we will send copies to interested
congressional committees, the DHS Secretary and, upon their request, to
other interested parties. In addition, the report will be made
available at no charge on the GAO Web site at [Hyperlink,
http://www.gao.gov].
If you have any questions about this report, please contact me at (202)
512-6244 or via e-mail at [Hyperlink, wilshuseng@gao.gov]. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. Key contributors to this
report are acknowledged in appendix III.
Sincerely yours,
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendixes:
Appendix I: Scope and Methodology:
To determine whether the Department of Homeland Security (DHS) had
developed and documented a departmentwide information security program,
we reviewed departmental information security plans, policies,
procedures, and handbooks; agencywide tools for aggregating the
components' performance data on their assessment of meeting the
requirements of the Federal Information Security Management Act of 2002
(FISMA); and DHS's information systems inventory methodology. We
assessed whether DHS's departmentwide information security program was
consistent with the requirements of FISMA and applicable Office of
Management and Budget (OMB) policies[Footnote 16] and NIST guidance
related to performing risk assessments, developing information security
plans, testing and evaluating security controls, documenting remedial
action plans, and documenting and testing continuity of operations
plans.
To determine whether DHS had implemented its departmentwide information
security program, we focused our review on the components' alignment
with key information security practices and controls. To accomplish
this, we selected seven DHS components--five of which DHS categorize as
major agency components due to their size and mission. The five
components selected were: Customs and Border Protection, Transportation
Security Administration, Immigration and Customs Enforcement, U.S.
Coast Guard, and Emergency Preparedness and Response. We also selected
these five components because they had been in existence prior to the
transformation of DHS and, from an evaluation standpoint, focused on
determining their progress in aligning with and implementing the
departmentwide information security program given these components had
their own information technology management structures, information
security policies and practices, and infrastructures. As a comparison,
we selected one component--Science and Technology--that had not existed
prior to the transformation to evaluate its alignment with and
implementation of the departmentwide information security program. We
also selected the United States Visitor and Immigrant Status Indicator
Technology (US-VISIT) program due to its significant mission in
providing security to our nation's borders.
Based on their criticality to DHS's mission operations, we selected for
review three major applications and three general support systems and
obtained documentation contained in the certification and accreditation
packages for the selected systems to assess the extent to which the
components implemented key information security practices and controls.
Certification is a comprehensive process of assessing the level of
security risk, identifying security controls needed to reduce risk and
maintain it at an acceptable level, documenting security controls in a
security plan, and testing controls to ensure they operate as intended.
Accreditation is a written decision by an agency management official
authorizing operation of a particular information system or group of
systems. Specifically, we reviewed and analyzed information security
plans, risk assessments, information security test and evaluation
reports, remedial action plans, and continuity of operations plans for
the selected systems. We compared the components' documented practices
and controls for these information security areas with applicable FISMA
requirements, OMB guidance, and applicable NIST guidance.
To supplement our documentation reviews and analysis, we reviewed and
considered various audit reports from the CIO and OIG evaluations of
DHS's information security program, including DHS's and OIG's annual
FISMA reports from 2003 and 2004.
We performed our review at DHS headquarters, the offices of the seven
components, and at our headquarters in the Washington, D.C.,
metropolitan area; and at DHS's network and security operations center
in Denver, Colorado, from July 2004 through May 2005. Our review was
performed in accordance with generally accepted government auditing
standards.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
[See PDF for image]
[End of figure]
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gregory C. Wilshusen, (202) 512-6244:
Staff Acknowledgments:
In addition to the individual named above, Jennifer Wilson, Assistant
Director; Joanne Fiorino; Kenneth A. Johnson; Lori Martinez; Leena
Mathew; and Altony Rice made key contributions to this report.
(310532):
FOOTNOTES
[1] GAO, High Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[2] Federal Information Security Management Act of 2002, Title III, E-
Government Act of 2002, Pub. L. No. 107-347, Dec.17, 2002.
[3] Office of Management and Budget, Circular A-130, Appendix III,
Security of Federal Automated Information Resources (Washington, D.C.:
Nov. 28, 2000).
[4] Public Law 107-296 (November 25, 2002).
[5] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.:
January 2003).
[6] 6 U.S.C. § 113(a).
[7] 6 U.S.C. § 111(b).
[8] Pub. L. No. 108-334 (Oct. 18, 2004).
[9] 6 U.S.C. § 113(a).
[10] DHS aggregates the 13 major agency components' data and reports on
the department's compliance with the Federal Information Security
Management Act of 2002 (FISMA). However, as shown in figure 1, the
Transportation Security Administration, Customs and Border Protection,
Immigration and Customs Enforcement, and Federal Law Enforcement
Training Center report to the Under Secretary Border and Transportation
Security; and the Under Secretary Border and Transportation Security is
not a separate component for FISMA reporting.
[11] 40 U.S.C. § 11315.
[12] 44 U.S.C. § 3544 (a)(3).
[13] See, for example, GAO-05-207; DHS, OIG, DHS Needs to Strengthen
Controls For Remote Access to Its Systems and Data, OIG-05-03 (November
2004); GAO, Information Security: Improving Oversight of Access to
Federal Systems and Data by Contractors Can Reduce Risk, GAO-05-362
(Washington, D.C.; April 2005); and DHS, OIG, Inadequate Security
Controls Increase Risks to DHS Wireless Networks, OIG-04-27 (June
2004).
[14] Trusted Agent FISMA is an enterprise tool for aggregating data
reported by the components to gauge how well the department is
complying with key information security practices and controls.
[15] The digital dashboard is to serve as a management tool to ensure
the components take a risk-based, cost-effective approach to secure
their information and information systems, identify and resolve current
information security weaknesses and risks, as well as protect against
future vulnerabilities and threats. The dashboard allows management to
monitor the components' remediation efforts to identify progress and
problems. Each component's success in meeting the FISMA requirements is
reported as a percentage of compliance, along with a red, amber, or
green color-coded gauge or traffic light display.
[16] Office of Management and Budget, Circular A-130, Appendix III,
Security of Federal Automated Information Resources (Washington, D.C.:
Nov. 28, 2000).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
