The Department of Homeland Security has made strides in reducing its high-risk status, overcoming major obstacles in two areas, but still has a lot of work to do in three other criteria identified previously by the Government Accountability Office (GAO), according to testimony given before the House Committee on Homeland Security by Gene L. Dodaro, the Comptroller General of the U.S. and head of the GAO.
The GAO had previously included DHS on its high-risk list and charged the agency with meeting criteria for improvement in areas for which it has sole responsibility or plays a critical role, including information security and protecting cyber critical infrastructure, sharing terrorism-related information, strengthening management function including IT management, and the National Flood Insurance Program. In each of those areas, DHS was assessed based on leadership commitment, corrective action plan, capacity, framework to monitor progress and demonstrated, sustained progress.
The department made its biggest strides in strengthening management function. But citing numerous government-issued, strategy-related documents that “established performance goals and a mechanism to monitor performance in three cross-agency priority areas of strong authentication, Trusted Internet Connections, and continuous monitoring,” Dodaro told the House Committee that, like other agencies, DHS needs to put “more effort” into addressing “a number of areas.”
Confirming that GAO continues to support DHS’s role in federal cyber security, Dodaro reiterated the need for Congress to pass “legislation that would clarify roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation’s critical cyber assets.”
He noted in an effort to better secure federal systems, DHS already is conducting CyberStat reviews designed to help improve information security; holding interviews with agency CIOs and CISOs on security status and issues and establishing a program to help agencies expand continuous diagnostics and mitigation capabilities. In addition, DHS is “refining performance metrics that agencies use for FISMA reporting purposes.”
Dodaro’s testimony came nearly a week after the Office of Management and Budget released the annual FISMA report, which found that federal agencies have gotten better at meeting the requirements laid out by the Federal Information Security Management Act.
Last September the GAO had reported that the current DHS metrics “for gauging the implementation of priority security goals and other important controls did not address key security activities and did not always include performance targets,” Dodaro noted. The GAO had asked OMB and DHS to collaborate on developing better metrics, “and the agencies stated that they plan to implement the recommendation by September 2014,” he said.
DHS has made some headway in enhancing the protection of the nation’s cyber critical infrastructure. By expanding the capacity of its National Cybersecurity and Communications Integration Center, the agency is improving the coordination and sharing of information among federal entities and the private sector. An Information Sharing Working Group and a mechanism for creating cyber threat reports further sharing with the private sector partners. And the DHS has set up a voluntary program “to encourage critical infrastructure owners and operators to use the Cyber Security Framework developed by the National Institute of Standards and Technology, required by an Executive Order, Dodaro explained.
He noted that if the agency expands its Enhanced Cybersecurity Services program, enhances coordination efforts with the private sector and identifies incentives to promote implementation of the NIST framework as the GAO suggested last February, DHS would greatly improve the “flow of timely and actionable cyber security threat and incident information.”
Dodaro gave the federal government the nod for overall making progress in sharing terrorism-related information. While DHS is not responsible for implementing or shepherding the Information Sharing Environment called for in the Intelligence Reform and Terrorism Prevention Act of 2004, Dodaro noted that the agency “places a critical role in government-wide sharing given its homeland security missions and responsibilities.”