Skip to main content

Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program

GAO-05-700 Published: Jun 17, 2005. Publicly Released: Jul 08, 2005.
Jump To:
Skip to Highlights

Highlights

The Homeland Security Act of 2002 mandated the merging of 22 federal agencies and organizations to create the Department of Homeland Security (DHS), whose mission, in part, is to protect our homeland from threats and attacks. DHS relies on a variety of computerized information systems to support its operations. GAO was asked to review DHS's information security program. In response, GAO determined whether DHS had developed, documented, and implemented a comprehensive, departmentwide information security program.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to instruct the Chief Information Security Officer (CISO) and component agencies to fully implement the following key information security practices and controls by developing complete risk assessments.
Closed – Implemented
Department of Homeland Security (DHS) has since developed and implemented complete risk assessments. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete risk assessments with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by documenting comprehensive security plans.
Closed – Implemented
Department of Homeland Security (DHS)has since developed and implemented comprehensive security plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete security plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by fully performing testing and evaluation of security controls.
Closed – Implemented
Department of Homeland Security (DHS) has since developed and implemented testing and evaluation of security controls. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete testing and evaluation of security controls with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by reporting complete remedial action plans.
Closed – Implemented
Department of Homeland Security (DHS) has since developed and implemented complete remedial action plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete remedial action plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the CISO and component agencies to fully implement the following key information security practices and controls by developing, documenting, and testing continuity of operations plans.
Closed – Implemented
Department of Homeland Security (DHS) has since developed and tested continuity of operations plans. The DHS Inspector General verified and reported that the Office of Information Security (OIS) has since developed and implemented complete continuity of operations plans with the DHS Information Security Certification and Accreditation (C&A) Remediation Plan.
Office of the Chief Information Officer (DOD CIO) To help fully implement DHS's departmentwide information security program, the Secretary of DHS should direct the Chief Information Officer to establish milestones for completing verification of the components' reported performance data in Trusted Agent Federal Information Security Management Act.
Closed – Implemented
Department of Homeland Security (DHS) has since followed documented processes and procedures for verification of the components' reported performance data in Trusted Agent FISMA (TAF). The DHS Inspector General verified and reported that milestones were completed in 2007 and the POA&M has been closed.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Chief information security officersComputer securityContinuity of operationsE-governmentHomeland securityInformation resources managementInformation securityInformation systemsInternal controlsPerformance measuresSecurity policiesStrategic information systems planningSystems evaluation