While the Department of Homeland Security (DHS) has been effective in strengthening Federal cybersecurity generally, the agency needs to push harder on agencies to follow through on its security directives, the Government Accountability Office said in a new report. DHS responded to the report by saying it has fixes in process.
GAO conducted a study which found that while DHS security directives have been effective in mitigating critical security risks, it has sometimes failed to ensure that agencies follow through on those directives or complete them on time.
By law, DHS plays a dominant role in Federal civilian agency cybersecurity. FISMA (Federal Information Security Management Act) authorizes DHS, in consultation with the Office of Management and Budget (OMB), to develop and oversee the implementation of compulsory directives – referred to as binding operational directives – covering executive branch civilian agencies.
While emphasizing DHS’s success in improving the overall civilian agency security picture, at the same time GAO noted that agencies saw a performance dip of more than 20 percent in mitigating critical vulnerabilities within 30 days over the last year.
The report also found that DHS had only completed about half of its mandated assessments of critical government information systems since 2018.
GAO also flagged a lack of coordination by DHS, saying the agency sometimes failed to consult with officials at the National Institute for Standards and Technology (NIST) in a timely fashion to receive NIST’s input on shaping DHS cybersecurity directives. DHS is required to do so under FISMA.
“Specifically, the NIST officials stated that often DHS did not reach out to NIST on the most recent directives until 1 to 2 weeks before they were to be issued, and then did not incorporate the NIST technical comments that were provided,” the report states.
GAO issued four recommendations to DHS to develop a more effective process for drafting and distributing security directives:
- Determine when to coordinate with relevant stakeholders, such as NIST and the General Services Administration (GSA);
- Develop a strategy for validating agencies’ self-reported actions on meeting directives;
- Ensure that directive performance metrics for addressing vulnerabilities identified by high value asset assessments align with the process DHS has established; and
- Develop a schedule and plan for completing high value asset assessments.
DHS officials responded that the agency is already working on improving their process for drafting security directives, and agreed with the recommendations made by the GAO.
“It is important to note that during this review, DHS was in the process of updating the cybersecurity directives process to incorporate several key lessons learned and enhancement opportunities identified over the past several years… DHS remains committed to strengthening its management processes, procedures, and technical capabilities to better address enterprise risks and emerging threats through the directives process,” said Jim Crumpacker, director of the Departmental GAO-OIG Liaison Office, in a letter to GAO’s Information Technology and Cybersecurity Director Vijay D’Sousa in response to the report’s findings.