Report: DHS intelligence unit lacks "adequate oversight" for continuity capabilities
The IG said DHS’s intelligence unit has not established “an adequate oversight structure” for essential requirements in protecting against “the loss of essential records and intelligence."
The Department of Homeland Security's (DHS) intelligence unit has not established “an adequate oversight structure” for continuity capabilities, essential requirements in protecting against “the loss of essential records and intelligence information in an emergency,” according to a report filed by the inspector general of DHS's Office of Intelligence and Analysis (I&A).
In the first report since a federal continuity policy was by approved by President George W. Bush in August 2007, DHS Assistant Inspector General of Information Technology Audits Sondra McCauley found that the intelligence branch failed to develop appropriate policies to conduct a continuity framework that was developed in response to the National Continuity Policy Implementation Plan, detailed in a 2012 report.
In addition, the latest report stated that DHS's intelligence branch failed to “maintain a complete inventory of essential records,” and “include instructions in the continuity plan on moving essential records” to an alternate site.
“This is a document that is couched in friendly language, but has fairly significant and damning findings in it,” said Blackstone Law Group Partner Alexander Urbelis, an attorney who was worked for the U.S. Army and the Central Intelligence Agency, in speaking with SCMagazine.com. “They did half the job in case of disaster recovery.”
The report also called on I&A to improve security of sensitive information and implement procedures outlined in earlier memos, including a September 2014 document “President's Management Council Cybersecurity Meeting” released by the Office of Management and Budget (OMB); and an April 2015 NIST publication “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”.
These suggestions highlight the inherent security risks raised by third parties. Implementing contractor access to sensitive controls is a challenge for the private and public sector. “I would encourage the inspector general's office to consider proposing specific recommendations around the implementation of technologies that can reduce the operational complexity involved with granting contractors access to sensitive software assets while reducing the cyber-attack surface in a meaningful way,” wrote Soha Systems Co-founder and CEO Haseeb Budhani, in an email obtained by SCMagazine.com.
The report also stated that the intelligence arm “did not timely respond to requests for agency transparency under the Freedom of Information Act, potentially creating financial liabilities.”
Urbellis said there has been an increase in the complexity of FOIA requests in recent years, as a result of the Edward Snowden's revelations. While the report suggested technology solutions, Urbellis warned that the solutions may not entirely address the problem. If DHS does not establish the systems properly, it would risk the creation of “a giant repository of information” that could undermine national security.