GAO Examines DHS Directives on Federal Cybersecurity

NEXT STORY
Key Issues from Title VIII of the 2020 NDAA

GAO Examines DHS Directives on Federal Cybersecurity

2/11/2020

On February 4^th the Government Accountability Office (GAO) released a report on directives the Department of Homeland Security (DHS) has produced to strengthen federal cybersecurity. The report found that implementation of the directives strengthened federal cybersecurity and that, going forward, DHS should reform the its process for developing and overseeing directives to better ensure their successful implementation.

GAO found that since the passing of the Federal Information Security Modernization Act of 2014 (FISMA), which granted DHS the power to issue compulsory information safety directives to federal civilian agencies, DHS has designed but not fully implemented a process to develop and oversee binding directives. DHS procedure calls for coordination with relevant stakeholders early in the directive development process. In the past their approach to cooperation has been ad hoc. This has left key agencies, including the National Institution of Standards and Technology (NIST) and the General Services Administration (GSA), with minimal time to provide feedback and ensure DHS directives align with existing standards.

In sampling five of the eight directives DHS issued since FISMA passed, GAO found that DHS had not independently validated compliance in all cases. DHS tasked other agencies to independently report on their implementation progress but has been unable to confirm that agencies are sticking to their own plans for action. GAO took a sample of twelve agencies tasked with implementing DHS directives and found that certain cybersecurity metrics, such as the total number of critical risks mitigated and the time from risk identification to mitigation, were significantly improved. However, more than half the agencies ran over DHS’s implementation timeline and in some cases full implementation was scheduled more than a year after DHS’s desired deadline.

Challenges to full directive implementation have included insufficient guidance from DHS, and technical and resources challenges for agencies required to implement these directives. The report noted that, “DHS has yet to issue the guidance, standards, and methodologies for Tier 2 or Tier 3 [high value asset (HVA)] assessments”, limiting the ability of partner organizations to begin review of over six hundred HVA systems. Federal agencies reported that challenges limiting their ability to timely comply with directives included the complexity of complying with DHS directions and the cost of replacing outdated and insecure physical systems. The inability to independently verify agencies’ progress, along with problems in achieving timely implementation, have limited the otherwise impressive gains to federal cybersecurity that DHS’s directives have achieved. Consequently, DHS has been working with the Office of Management and Budget to support agencies with financial constraints, and has been working to provide webinars and other information sources to assist agencies’ understanding.

GAO recommended that the Secretary of Homeland Security determine when in the development process to coordinate with relevant stakeholders, and that a risk-based approach to independent verification of validating agencies’ self-reported actions should be developed. They also recommended that DHS develop and schedule a plan for completing HVA assessments and providing all necessary guidance. DHS has responded and agreed with the GAO’s recommendations, noting that it is working on a strategy for validating agency results with an estimated completion date of September 30, 2020.

Topics: Cyber, Cybersecurity, Homeland Security

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.