Skip to Highlights
Highlights

Intended to enhance the security of U.S. citizens and visitors, United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program encompasses the pre-entry, entry, status management, and exit of foreign national travelers who enter and leave the United States at 285 air, sea, and land ports of entry. GAO was asked to determine whether Department of Homeland Security (DHS) has implemented appropriate controls to protect the confidentiality, integrity, and availability of the information and systems used to support the US-VISIT program. To do this, GAO examined the controls over the systems operated by Customs and Border Protection (CBP) that support the US-VISIT program.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Bureau of Customs and Border Protection 1. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to fully characterize risks in risk assessments for systems supporting US-VISIT program.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) completed a privacy impact assessment on December 22, 2010, and (2) completed inventory of all interconnections between TECS and other systems in its risk assessments for systems supporting the US-VISIT program.
Bureau of Customs and Border Protection 2. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to update the interconnection security agreements in the Treasury Enforcement Communications System (TECS) security plan.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, updated the interconnection security agreements in the TECS security plan.
Bureau of Customs and Border Protection 3. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to enhance the procedures and documentation for testing and evaluating the effectiveness of security controls.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, conducted comprehensive security testing on the US-VISIT system that documented its procedures to include evaluation of management, technical and operational controls, security control requirements and traceability matrix, and procedures for evaluating controls being tested.
Bureau of Customs and Border Protection 4. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to ensure remedial action plans address all significant security vulnerabilities, accurately report status of remedial actions, and identify necessary resources for completing actions.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) developed remedial action plans for the US-VISIT system that addresses significant security vulnerabilities as identified in systems certification and accreditation and annual assessment,(2) accurately report status of remedial actions with milestones and completion dates, (3) identified financial resources to complete remediation action.
Bureau of Customs and Border Protection 5. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to fully develop and implement policies and tools for the timely detection and handling of security incidents.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) installed host intrusion prevention system (HIPS) which included both intrusion prevention and host based firewall components onto all CBP Windows workstations, and (2) issued Policy and Procedures for Incident Handling.
Bureau of Customs and Border Protection 6. To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to update and complete privacy documents for systems supporting the US-VISIT program.
Closed - Implemented
In fiscal year 2011, we verified that DHS, in response to our recommendation, has issued an approved privacy impact assessment for TECS on December 22, 2010.

Full Report

GAO Contacts