The Department of Homeland Security has made strides in reducing its high-risk status, overcoming major obstacles in two areas, but still has a lot of work to do in three other criteria identified previously by the Government Accountability Office (GAO), according to testimony given before the House Committee on Homeland Security by Gene L. Dodaro, the Comptroller General of the U.S. and head of the GAO.
The GAO had previously included DHS on its high-risk list and charged the agency with meeting criteria for improvement in areas for which it has sole responsibility or plays a critical role, including information security and protecting cyber critical infrastructure, sharing terrorism-related information, strengthening management function including IT management, and the National Flood Insurance Program. In each of those areas, DHS was assessed based on leadership commitment, corrective action plan, capacity, framework to monitor progress and demonstrated, sustained progress.
The department made its biggest strides in strengthening management function. But citing numerous government-issued, strategy-related documents that “established performance goals and a mechanism to monitor performance in three cross-agency priority areas of strong authentication, Trusted Internet Connections, and continuous monitoring,” Dodaro told the House Committee that, like other agencies, DHS needs to put “more effort” into addressing “a number of areas.”
Confirming that GAO continues to support DHS's role in federal cyber security, Dodaro reiterated the need for Congress to pass “legislation that would clarify roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation's critical cyber assets.”
He noted in an effort to better secure federal systems, DHS already is conducting CyberStat reviews designed to help improve information security; holding interviews with agency CIOs and CISOs on security status and issues and establishing a program to help agencies expand continuous diagnostics and mitigation capabilities. In addition, DHS is “refining performance metrics that agencies use for FISMA reporting purposes.”