The Department of Homeland Security‘s inspector general evaluated DHS’ information security program for fiscal 2017 in compliance with the Federal Information Security Modernization Act of 2014 and found that 64 of its national security and unclassified systems lacked authority to operate.
DHS IG said in a report published Wednesday the department failed to implement all configuration settings needed to safeguard component systems, track software licenses for unclassified platforms and test contingency plans for systems.
The inspector general called on the department’s chief information security officer to work with DHS’ undersecretary for management to implement strategies in order to ensure that components carry out measures to address continuous monitoring, weakness remediation and security authorization issues.
DHS should update its continuous monitoring strategy for data systems to include an updated inventory of software licenses and assets, stop the use of unsupported operating systems as well as execute controls and quality assessments to ensure the accuracy of data encoded into the agency’s enterprise management platforms.
The department achieved Level 4 when it comes to the management of identified cyber risks and measures implemented by DHS’ security operations center to address cyber incidents.
Level 4 in the FISMA reporting instructions for fiscal 2017 is defined as “managed and measurable” and seeks to reflect that an agency’s information security program has an “effective” cyber function.