DHS information security plans lacking, GAO says

The Homeland Security Department has yet to establish an adequate information security program, congressional auditors found after spending nearly a year reviewing its cybersecurity policies and plans.

Since the formation of Homeland Security in 2003, the department has struggled to manage its various components' computer systems, according to a new Government Accountability Office report. Complying with the 2002 Federal Information Security Management Act and guidance from the Office of Management and Budget for securing computer systems has proven to be difficult. Failure to implement established security policies has limited the department's ability to protect its information, the report (GAO-05-700) stated.

"Until DHS addresses these weaknesses and fully implements a comprehensive, departmentwide information security program, its ability to protect the confidentiality, integrity and availability of its information and information systems will be limited," the report stated.

The report, requested by Sen. Joseph Lieberman, D-Conn., ranking member of the Senate Homeland Security and Governmental Affairs Committee, commended DHS for making "significant progress in developing and documenting a departmentwide information security program," but noted that weaknesses continue to threaten the security of its computer systems.

On Monday, Lieberman urged the department to follow GAO's recommendations.

"How can the department possibly protect the nation's critical cyberstructure if it cannot keep its own house in order?" Lieberman said. "More than two years after the department was formed, it should have a better grasp on protecting its own systems and information."

The 36-page review assessed four major DHS components - the US VISIT program, the Immigration and Customs Enforcement bureau, the Transportation Security Administration, and the Emergency Preparedness and Response division-- in five areas of security practices and management.

In the five areas - assessing risks, security plans, security testing and evaluations, corrective action plans, and continuity of operation plans - no component was satisfactory in more than two areas.

The report stated that DHS has developed policies that could serve as a framework for a security program, but gaps in those plans prevent its implementation.

Homeland Security received an F grade in cybersecurity along with seven other agencies rated by a congressional committee in February.

In a response to the GAO report, Robert West, DHS chief information security officer, wrote that the department is doing more than just documenting an information security program.

West cited the success of a pilot certification and accreditation program and a departmentwide inventory of systems and applications, scheduled to be completed in August.