GAO Examines DHS Directives on Federal Cybersecurity
On February 4th the Government Accountability Office (GAO) released a report on directives the Department of Homeland Security (DHS) has produced to strengthen federal cybersecurity. The report found that implementation of the directives strengthened federal cybersecurity and that, going forward, DHS should reform the its process for developing and overseeing directives to better ensure their successful implementation.
GAO found that since the passing of the Federal Information Security Modernization Act of 2014 (FISMA), which granted DHS the power to issue compulsory information safety directives to federal civilian agencies, DHS has designed but not fully implemented a process to develop and oversee binding directives. DHS procedure calls for coordination with relevant stakeholders early in the directive development process. In the past their approach to cooperation has been ad hoc. This has left key agencies, including the National Institution of Standards and Technology (NIST) and the General Services Administration (GSA), with minimal time to provide feedback and ensure DHS directives align with existing standards.
In sampling five of the eight directives DHS issued since FISMA passed, GAO found that DHS had not independently validated compliance in all cases. DHS tasked other agencies to independently report on their implementation progress but has been unable to confirm that agencies are sticking to their own plans for action. GAO took a sample of twelve agencies tasked with implementing DHS directives and found that certain cybersecurity metrics, such as the total number of critical risks mitigated and the time from risk identification to mitigation, were significantly improved. However, more than half the agencies ran over DHS’s implementation timeline and in some cases full implementation was scheduled more than a year after DHS’s desired deadline.
Challenges to full directive implementation have included insufficient guidance from DHS, and technical and resources challenges for agencies required to implement these directives. The report noted that, “DHS has yet to issue the guidance, standards, and methodologies for Tier 2 or Tier 3 [high value asset (HVA)] assessments”, limiting the ability of partner organizations to begin review of over six hundred HVA systems. Federal agencies reported that challenges limiting their ability to timely comply with directives included the complexity of complying with DHS directions and the cost of replacing outdated and insecure physical systems. The inability to independently verify agencies’ progress, along with problems in achieving timely implementation, have limited the otherwise impressive gains to federal cybersecurity that DHS’s directives have achieved. Consequently, DHS has been working with the Office of Management and Budget to support agencies with financial constraints, and has been working to provide webinars and other information sources to assist agencies’ understanding.
GAO recommended that the Secretary of Homeland Security determine when in the development process to coordinate with relevant stakeholders, and that a risk-based approach to independent verification of validating agencies’ self-reported actions should be developed. They also recommended that DHS develop and schedule a plan for completing HVA assessments and providing all necessary guidance. DHS has responded and agreed with the GAO’s recommendations, noting that it is working on a strategy for validating agency results with an estimated completion date of September 30, 2020.