December 5, 2021

News

News Network

Information Technology: DHS Directives Have Strengthened Federal Cybersecurity, but Improvements Are Needed

12 min read
<div>What GAO Found The Department of Homeland Security (DHS) has established a five-step process for developing and overseeing the implementation of binding operational directives, as authorized by the Federal Information Security Modernization Act of 2014 (FISMA). The process includes DHS coordinating with stakeholders early in the directives' development process and validating agencies' actions on the directives. However, in implementing the process, DHS did not coordinate with stakeholders early in the process and did not consistently validate agencies' self-reported actions. In addition to being a required step in the directives process, FISMA requires DHS to coordinate with the National Institute of Standards and Technology (NIST) to ensure that the directives do not conflict with existing NIST guidance for federal agencies. However, NIST officials told GAO that DHS often did not reach out to NIST on directives until 1 to 2 weeks before the directives were to be issued, and then did not always incorporate the NIST technical comments. More recently, DHS and NIST have started regular coordination meetings to discuss directive-related issues earlier in the process. Regarding validation of agency actions, DHS has done so for selected directives, but not for others. DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion. Directives' implementation often has been effective in strengthening federal cybersecurity. For example, a 2015 directive on critical vulnerability mitigation required agencies to address critical vulnerabilities discovered by DHS cyber scans of agencies' internet-accessible systems within 30 days. This was a new requirement for federal agencies. While agencies did not always meet the 30-day requirement, their mitigations were validated by DHS and reached 87 percent compliance by 2017 (see fig. 1). DHS officials attributed the recent decline in percentage completion to a 35-day partial government shutdown in late 2018/early 2019. Nevertheless, for the 4-year period shown in the figure below, agencies mitigated within 30 days about 2,500 of the 3,600 vulnerabilities identified. Figure 1: Critical Vulnerabilities Mitigated within 30 days, May 21, 2015 through May 20, 2019 Agencies also made reported improvements in securing or replacing vulnerable network infrastructure devices. Specifically, a 2016 directive on the Threat to Network Infrastructure Devices addressed, among other things, several urgent vulnerabilities in the targeting of firewalls across federal networks and provided technical mitigation solutions. As shown in figure 2, in response to the directive, agencies reported progress in mitigating risks to more than 11,000 devices as of October 2018. Figure 2: Federal Civilian Agency Vulnerable Network Infrastructure Devices That Had Not Been Mitigated, September 2016 through January 2019 Another key DHS directive is Securing High Value Assets, an initiative to protect the government's most critical information and system assets. According to this directive, DHS is to lead in-depth assessments of federal agencies' most essential identified high value assets. However, an important performance metric for addressing vulnerabilities identified by these assessments does not account for agencies submitting remediation plans in cases where weaknesses cannot be fully addressed within 30 days. Further, DHS only completed about half of the required assessments for the most recent 2 years (61 of 142 for fiscal year 2018, and 73 of 142 required assessments for fiscal year 2019 (see fig. 3)). In addition, DHS does not plan to finalize guidance to agencies and third parties, such as contractors or agency independent assessors, for conducting reviews of additional high value assets that are considered significant, but are not included in DHS's current review, until the end of fiscal year 2020. Given these shortcomings, DHS is now reassessing key aspects of the program. However, it does not have a schedule or plan for completing this reassessment, or to address outstanding issues on completing required assessments, identifying needed resources, and finalizing guidance to agencies and third parties. Figure 3: Department of Homeland Security Assessments of Agency High Value Assets, Fiscal Years (FY) 2018 through 2019 Why GAO Did This Study DHS plays a key role in federal cybersecurity. FISMA authorized DHS, in consultation with the Office of Management and Budget, to develop and oversee the implementation of compulsory directives—referred to as binding operational directives—covering executive branch civilian agencies. These directives require agencies to safeguard federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. Since 2015, DHS has issued eight directives that instructed agencies to, among other things, (1) mitigate critical vulnerabilities discovered by DHS through its scanning of agencies' internet-accessible systems; (2) address urgent vulnerabilities in network infrastructure devices identified by DHS; and (3) better secure the government's highest value and most critical information and system assets. GAO was requested to evaluate DHS's binding operational directives. This report addresses (1) DHS's process for developing and overseeing the implementation of binding operational directives and (2) the effectiveness of the directives, including agencies' implementation of the directive requirements. GAO selected for review the five directives that were in effect as of December 2018, and randomly selected for further in-depth review a sample of 12 agencies from the executive branch civilian agencies to which the directives apply. In addition, GAO reviewed DHS policies and processes related to the directives and assessed them against FISMA and Office of Management and Budget requirements; administered a data collection instrument to selected federal agencies; compared the agencies' responses and supporting documentation to the requirements outlined in the five directives; and collected and analyzed DHS's government-wide scanning data on government-wide implementation of the directives. GAO also interviewed DHS and selected agency officials.</div>

What GAO Found

The Department of Homeland Security (DHS) has established a five-step process for developing and overseeing the implementation of binding operational directives, as authorized by the Federal Information Security Modernization Act of 2014 (FISMA). The process includes DHS coordinating with stakeholders early in the directives’ development process and validating agencies’ actions on the directives. However, in implementing the process, DHS did not coordinate with stakeholders early in the process and did not consistently validate agencies’ self-reported actions. In addition to being a required step in the directives process, FISMA requires DHS to coordinate with the National Institute of Standards and Technology (NIST) to ensure that the directives do not conflict with existing NIST guidance for federal agencies. However, NIST officials told GAO that DHS often did not reach out to NIST on directives until 1 to 2 weeks before the directives were to be issued, and then did not always incorporate the NIST technical comments. More recently, DHS and NIST have started regular coordination meetings to discuss directive-related issues earlier in the process. Regarding validation of agency actions, DHS has done so for selected directives, but not for others. DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion.

Directives’ implementation often has been effective in strengthening federal cybersecurity. For example, a 2015 directive on critical vulnerability mitigation required agencies to address critical vulnerabilities discovered by DHS cyber scans of agencies’ internet-accessible systems within 30 days. This was a new requirement for federal agencies. While agencies did not always meet the 30-day requirement, their mitigations were validated by DHS and reached 87 percent compliance by 2017 (see fig. 1). DHS officials attributed the recent decline in percentage completion to a 35-day partial government shutdown in late 2018/early 2019. Nevertheless, for the 4-year period shown in the figure below, agencies mitigated within 30 days about 2,500 of the 3,600 vulnerabilities identified.

Figure 1: Critical Vulnerabilities Mitigated within 30 days, May 21, 2015 through May 20, 2019

Agencies also made reported improvements in securing or replacing vulnerable network infrastructure devices. Specifically, a 2016 directive on the Threat to Network Infrastructure Devices addressed, among other things, several urgent vulnerabilities in the targeting of firewalls across federal networks and provided technical mitigation solutions. As shown in figure 2, in response to the directive, agencies reported progress in mitigating risks to more than 11,000 devices as of October 2018.

Figure 2: Federal Civilian Agency Vulnerable Network Infrastructure Devices That Had Not Been Mitigated, September 2016 through January 2019

Figure 1: Critical Vulnerabilities Mitigated within 30 days, May 21, 2015 through May 20, 2019

Another key DHS directive is Securing High Value Assets, an initiative to protect the government’s most critical information and system assets. According to this directive, DHS is to lead in-depth assessments of federal agencies’ most essential identified high value assets. However, an important performance metric for addressing vulnerabilities identified by these assessments does not account for agencies submitting remediation plans in cases where weaknesses cannot be fully addressed within 30 days. Further, DHS only completed about half of the required assessments for the most recent 2 years (61 of 142 for fiscal year 2018, and 73 of 142 required assessments for fiscal year 2019 (see fig. 3)). In addition, DHS does not plan to finalize guidance to agencies and third parties, such as contractors or agency independent assessors, for conducting reviews of additional high value assets that are considered significant, but are not included in DHS’s current review, until the end of fiscal year 2020. Given these shortcomings, DHS is now reassessing key aspects of the program. However, it does not have a schedule or plan for completing this reassessment, or to address outstanding issues on completing required assessments, identifying needed resources, and finalizing guidance to agencies and third parties.

Figure 3: Department of Homeland Security Assessments of Agency High Value Assets, Fiscal Years (FY) 2018 through 2019

Why GAO Did This Study

DHS plays a key role in federal cybersecurity. FISMA authorized DHS, in consultation with the Office of Management and Budget, to develop and oversee the implementation of compulsory directives—referred to as binding operational directives—covering executive branch civilian agencies. These directives require agencies to safeguard federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk. Since 2015, DHS has issued eight directives that instructed agencies to, among other things, (1) mitigate critical vulnerabilities discovered by DHS through its scanning of agencies’ internet-accessible systems; (2) address urgent vulnerabilities in network infrastructure devices identified by DHS; and (3) better secure the government’s highest value and most critical information and system assets.

GAO was requested to evaluate DHS’s binding operational directives. This report addresses (1) DHS’s process for developing and overseeing the implementation of binding operational directives and (2) the effectiveness of the directives, including agencies’ implementation of the directive requirements. GAO selected for review the five directives that were in effect as of December 2018, and randomly selected for further in-depth review a sample of 12 agencies from the executive branch civilian agencies to which the directives apply.

In addition, GAO reviewed DHS policies and processes related to the directives and assessed them against FISMA and Office of Management and Budget requirements; administered a data collection instrument to selected federal agencies; compared the agencies’ responses and supporting documentation to the requirements outlined in the five directives; and collected and analyzed DHS’s government-wide scanning data on government-wide implementation of the directives. GAO also interviewed DHS and selected agency officials.

More from:

News Network

  • Owner of Tax Preparation Business Sentenced to Prison for Filing False Returns
    In Crime News
    A former Gulfport, Mississippi, tax return preparer was sentenced to 46 months in prison today for aiding and assisting in the preparation of false returns, announced Principal Deputy Assistant Attorney General Richard E. Zuckerman of the Justice Department’s Tax Division and U.S. Attorney Mike Hurst for the Southern District of Mississippi.
    [Read More…]
  • Small Business Research Programs: Agencies Should Further Improve Award Timeliness
    In U.S GAO News
    What GAO Found Most federal agencies that participate in the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs did not consistently issue timely awards to small businesses in fiscal year 2020. The Small Business Administration's (SBA) SBIR/STTR policy directive recommends that most agencies issue such awards within 180 days of the closing date of the solicitation. On the one hand, timeliness across agencies has improved since fiscal year 2017. Agencies issued 69 percent of awards within the recommended time that year, compared to 82 percent of awards that we reviewed for fiscal year 2020. On the other hand, only nine of the 29 participating agencies were consistently on time in fiscal year 2020, meaning they issued at least 90 percent of their awards within 180 days. This lack of timeliness dates back at least 5 years: 20 agencies were routinely late during that period, issuing fewer than 90 percent of their awards on time for 3 or more of the 5 fiscal years since 2016 (see figure). Total Number and Value of Late Awards Issued by Routinely Late Agencies Nearly all of the agencies that were routinely late in issuing awards to small businesses have taken some steps to address risks to the timeliness of their awards. Such risks included not having standardized proposal review procedures and a lack of dedicated staff to issue awards. Agencies have taken some steps to improve timeliness by, for example, streamlining proposal reviews and the award contracting process. However, they have not fully addressed risks they identified or evaluated steps already taken and may continue to issue late awards until they do so. Although the Department of Defense (DOD) has taken some steps to improve timeliness, it has not established a required pilot program. According to officials, DOD has not done so, in part, because it would be too difficult to standardize practices across the department. GAO found that 12 of the 13 DOD participating agencies are not consistently issuing timely awards to small businesses. Without addressing the pilot program requirements, or by not reporting to Congress if the requirements are infeasible, DOD may be missing an opportunity to obtain technologies more quickly, as well as sustain small businesses that can provide such technologies. Why GAO Did This Study SBIR and STTR participating agencies awarded over $3 billion to small businesses in fiscal year 2020 to develop and commercialize new technologies. Timely issuance of these awards can affect the speed with which small businesses receive funds and begin work, according to the SBA. SBA's SBIR/STTR policy directive provides time frames for notification and award issuance—90 days for award notification and 180 days for award issuance. The Fiscal Year 2019 National Defense Authorization Act (NDAA) included a provision for GAO to review the timeliness of award notification and issuance. The Fiscal Year 2021 NDAA conference report included a provision for GAO to review instances of agencies not following through with awards. This report, GAO's third, examines, among other things: (1) agencies' timeliness in notification and issuance, (2) the extent to which agencies have addressed risks to award timeliness, and (3) the extent to which DOD established a pilot program to improve timeliness. GAO analyzed SBIR and STTR award data, reviewed documentation, interviewed SBA officials, and sent a questionnaire to all 29 participating agencies and select small businesses.
    [Read More…]
  • Texas woman admits to smuggling cocaine
    In Justice News
    A resident of San [Read More…]
  • Justice Department Reaches Proposed Consent Decree to Resolve Hampton Roads Regional Jail Investigation
    In Crime News
    Today, the Department of Justice’s Civil Rights Division and the U.S. Attorney’s Office for the Eastern District of Virginia filed a complaint and a proposed consent decree with the Hampton Roads Regional Jail Authority.
    [Read More…]
  • Acting Assistant Secretary Reeker’s Travel to Italy, Albania, and North Macedonia
    In Crime Control and Security News
    Office of the [Read More…]
  • Aviation Cybersecurity: FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks
    In U.S GAO News
    Modern airplanes are equipped with networks and systems that share data with the pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers in ways that were not previously feasible (see fig. 1). As a result, if avionics systems are not properly protected, they could be at risk of a variety of potential cyberattacks. Vulnerabilities could occur due to (1) not applying modifications (patches) to commercial software, (2) insecure supply chains, (3) malicious software uploads, (4) outdated systems on legacy airplanes, and (5) flight data spoofing. To date, extensive cybersecurity controls have been implemented and there have not been any reports of successful cyberattacks on an airplane's avionics systems. However, the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety. Figure 1: Key Systems Connections to Commercial Airplanes The Federal Aviation Administration (FAA) has established a process for the certification and oversight of all US commercial airplanes, including the operation of commercial air carriers (see fig. 2). While FAA recognizes avionics cybersecurity as a potential safety issue for modern commercial airplanes, it has not fully implemented key practices that are necessary to carry out a risk-based cybersecurity oversight program. Specifically, FAA has not (1) assessed its oversight program to determine the priority of avionics cybersecurity risks, (2) developed an avionics cybersecurity training program, (3) issued guidance for independent cybersecurity testing, or (4) included periodic testing as part of its monitoring process. Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplanes. Figure 2: Federal Aviation Administration's Certification Process for Commercial Transport Airplanes GAO has previously identified key practices for interagency collaboration that can be used to assess interagency coordination. FAA coordinates with other federal agencies, such as the Departments of Defense (DOD) and Homeland Security (DHS), and with industry to address aviation cybersecurity issues. For example, FAA co-chairs the Aviation Cyber Initiative, a tri-agency forum with DOD and DHS to address cyber risks across the aviation ecosystem. However, FAA's internal coordination activities do not fully reflect GAO's key collaboration practices. FAA has not established a tracking mechanism for monitoring progress on cybersecurity issues that are raised in coordination meetings, and its oversight coordination activities are not supported by dedicated resources within the agency's budget. Until FAA establishes a tracking mechanism for cybersecurity issues, it may be unable to ensure that all issues are appropriately addressed and resolved. Further, until it conducts an avionics cybersecurity risk assessment, it will not be able to effectively prioritize and dedicate resources to ensure that avionics cybersecurity risks are addressed in its oversight program. Avionics systems, which provide weather information, positioning data, and communications, are critical to the safe operation of an airplane. FAA is responsible for overseeing the safety of commercial aviation, including avionics systems. The growing connectivity between airplanes and these systems may present increasing opportunities for cyberattacks on commercial airplanes. GAO was asked to review the FAA's oversight of avionics cybersecurity issues. The objectives of this review were to (1) describe key cybersecurity risks to avionics systems and their potential effects, (2) determine the extent to which FAA oversees the implementation of cybersecurity controls that address identified risks in avionics systems, and (3) assess the extent to which FAA coordinates internally and with other government and industry entities to identify and address cybersecurity risks to avionics systems. To do so, GAO reviewed information on key cybersecurity risks to avionics systems, as reported by major industry representatives as well as key elements of an effective oversight program, and compared FAA's process for overseeing the implementation of cybersecurity controls in avionics systems with these program elements. GAO also reviewed agency documentation and interviewed agency and industry representatives to assess FAA's coordination efforts to address the identified risks. GAO is making six recommendations to FAA to strengthen its avionics cybersecurity oversight program: GAO recommends that FAA conduct a cybersecurity risk assessment of avionics systems cybersecurity within its oversight program to identify the relative priority of avionics cybersecurity risks compared to other safety concerns and develop a plan to address those risks. Based on the assessment of avionics cybersecurity risks, GAO recommends that FAA identify staffing and training needs for agency inspectors specific to avionics cybersecurity, and develop and implement appropriate training to address identified needs. develop and implement guidance for avionics cybersecurity testing of new airplane designs that includes independent testing. review and consider revising its policies and procedures for monitoring the effectiveness of avionics cybersecurity controls in the deployed fleet to include developing procedures for safely conducting independent testing. ensure that avionics cybersecurity issues are appropriately tracked and resolved when coordinating among internal stakeholders. review and consider the extent to which oversight resources should be committed to avionics cybersecurity. FAA concurred with five out of six GAO recommendations. FAA did not concur with the recommendation to consider revising its policies and procedures for periodic independent testing. GAO clarified this recommendation to emphasize that FAA safely conduct such testing as part of its ongoing monitoring of airplane safety. For more information, contact Nick Marinos at (202) 512-9342 or MarinosN@gao.gov, or Heather Krause at (202) 512-2834 or KrauseH@gao.gov.
    [Read More…]
  • Department of Justice Awards More than $92 Million to Support Offenders Returning to Communities
    In Crime News
    The Department of [Read More…]
  • Special Presidential Envoy for Climate John Kerry Travels to Europe
    In Crime Control and Security News
    Office of the [Read More…]
  • Management Report: Preliminary Information on Potential Racial and Ethnic Disparities in the Receipt of Unemployment Insurance Benefits during the COVID-19 Pandemic
    In U.S GAO News
    What GAO Found As part of ongoing work on unemployment insurance (UI) benefits during the COVID-19 pandemic, GAO found potential racial and ethnic disparities in the receipt of UI benefits, including Pandemic Unemployment Assistance (PUA) benefits. Specifically, according to data from the U.S. Census Bureau's COVID-19 Household Pulse Survey, a higher percentage of White, non-Hispanic/Latino applicants received benefits from UI programs during the pandemic than certain other racial and ethnic groups. In addition, our preliminary analysis of data obtained from five selected states in our ongoing review of the PUA program—a temporary program providing benefits to individuals not otherwise eligible for UI—identified some racial and ethnic disparities in the receipt of PUA benefits. In two of the five states, for example, the percentage of White PUA claimants who received benefits in 2020 was considerably higher than the percentage of Black PUA claimants who received benefits that year (both groups consist of non-Hispanic/Latino claimants). This analysis of state-provided data is preliminary and we are continuing to examine these data, including their reliability and potential explanations for disparities. Various factors could explain the disparities we identified in our preliminary analyses, such as differences in UI eligibility that may be correlated with race and ethnicity. However, another potential explanation is that states could be approving or processing UI claims differently for applicants in different racial and ethnic groups. Why GAO Did This Study The UI system provides a vital safety net for individuals who become unemployed through no fault of their own, and this support is essential during widespread economic downturns. During the pandemic, the CARES Act supplemented the regular UI program by creating three federally funded temporary UI programs, including the PUA program, which expanded benefit eligibility and enhanced benefits. As part of our ongoing work on the various UI programs during the pandemic, we analyzed the extent to which there have been differences in the receipt of benefits by race and ethnicity. The purpose of this report is to inform DOL about potential racial and ethnic disparities in the receipt of UI benefits. According to DOL, ensuring equitable access to UI benefits is a top priority for the agency. We recognize that the complexity of these issues may take time to examine in depth. However, given that PUA and the other temporary UI programs are scheduled to expire in September 2021, we are sharing this preliminary information for DOL to consider in determining whether it needs to engage with states at this point to ensure equitable access to the UI system. For more information, contact Thomas M. Costa at (202) 512-7215 orcostat@gao.gov.
    [Read More…]
  • On the Passing of His Royal Highness, Prince Khalifa bin Salman Al Khalifa
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Jury Convicts Former Delaware Doctor of Unlawful Drug Distribution and Maintaining a Drug Premises
    In Crime News
    A federal jury convicted a former Delaware doctor Wednesday for unlawfully distributing and dispensing controlled substances and for maintaining a drug-involved premises.
    [Read More…]
  • Albania National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Department of State Announces Online Publication of 2019 Digest of United States Practice in International Law
    In Crime Control and Security News
    Office of the [Read More…]
  • The United States Applauds the OAS Resolution Condemning the Undemocratic Electoral Process and Repression in Nicaragua
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Wife of “El Chapo” Sentenced to Prison for Drug Trafficking and Money Laundering
    In Crime News
    The wife of Joaquin “El Chapo” Guzman Loera, leader of the Mexican drug-trafficking organization known as the Sinaloa Cartel, was sentenced today to 36 months in prison followed by four years of supervised release for charges related to international drug trafficking, money laundering, and a criminal violation of the Foreign Narcotics Kingpin Designation Act (the Kingpin Act).
    [Read More…]
  • Executive Arrested and Charged for Bribery and Money-Laundering Scheme
    In Crime News
    A South Florida resident was arrested yesterday in Miami on charges related to his alleged role in a scheme to bribe Venezuelan officials and launder funds to obtain contracts from Venezuela’s state-owned and state-controlled energy company, Petróleos de Venezuela S.A. (PDVSA), and Venezuela’s state-owned and state-controlled food company that purchased food for Venezuela, Corporación de Abastecimiento y Servicios Agrícola (CASA).
    [Read More…]
  • Four California Residents Found Guilty of Scheming to Fraudulently Obtain Millions of Dollars in COVID-19 Relief Programs
    In Crime News
    A federal jury convicted four California residents on June 25, for scheming to submit fraudulent loan applications seeking millions of dollars in Paycheck Protection Program (PPP) and Economic Injury Disaster Loan (EIDL) COVID-19 relief funds.  
    [Read More…]
  • This Hopping Robot Could Explore the Solar System’s Icy Moons
    In Space
    SPARROW, a steam-powered [Read More…]
  • Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure
    In Crime Control and Security News
    Office of the [Read More…]
  • Former Ambulance Service Owner Charged with Tax Fraud
    In Crime News
    A Virginia man was arraigned today on an indictment charging tax fraud that was returned by a federal grand jury in Roanoke, Virginia, on Aug. 20, 2020. He was arrested upon entry into the United States after residing overseas for more than a year.
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.