DHS making strides in information security, IG finds

Oct. 20, 2008
Steps made, but component agencies still not implementing all of policies

The Department of Homeland Security (DHS) is making progress in complying with federal security regulations for information security, although component agencies are still not implementing all of the department's policies, according to the DHS Inspector General's (IG) annual report on the matter.

"The performance plan tracks key elements that are indicative of a strong security program," the IG says of the DHS action plan for meeting the requirements of the Federal Information Security Management Act of 2002. The Act requires each federal agency to develop and implement agency-wide security programs to protect information and information systems that support the operations and assets of the agency.

The IG cites four key areas where DHS has implemented plans for improved information security performance, including a Plan of Action and Milestones (POA&Ms) weakness remediation, quality of its certification and accreditation processes, annual testing and validation, and security program oversight.

However, the report points to several areas where DHS needs to improve information security. For example, the IG says that DHS lacks an "automated process for maintaining and tracking its classified POA&Ms" and needs to ensure proper training is in place for all individuals with important security responsibilities.

The report says that DHS has improved oversight of its component agencies' information security, although the components are not following all policies. For example, the IG says that the agencies haven't incorporated all known security weaknesses into their POA&Ms nor have they fully implemented DHS' baseline configuration settings.

DHS concurred with all of the recommendations made by the IG, which believes that the department will take the appropriate steps to implement the recommendations.