January 27, 2022

News

News Network

Cybersecurity: DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring Program

16 min read
<div>Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard. Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard However, while agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks. In addition, although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security. The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors. DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance. In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities. GAO was asked to review agencies' continuous monitoring practices. This report (1) examines the extent to which selected agencies have effectively implemented key CDM program requirements and (2) describes challenges agencies identified in implementing the requirements and steps DHS has taken to address these challenges. GAO selected three agencies based on reported acquisition of CDM tools. GAO evaluated the agencies' implementation of CDM asset management capabilities, conducted semi-structured interviews with agency officials, and examined DHS actions. GAO is making six recommendations to DHS, including to ensure that contractors provide unique hardware identifiers; and nine recommendations to the three selected agencies, including to compare configurations to benchmarks. DHS and the selected agencies concurred with the recommendations. For more information, contact Vijay A. D'Souza at (202) 512-6240 or dsouzav@gao.gov.</div>

What GAO Found

Selected agencies—the Federal Aviation Administration, Indian Health Services, and Small Business Administration—had generally deployed tools intended to provide cybersecurity data to support the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. As depicted in the figure, the program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard.

Continuous Diagnostics and Mitigation Program Data Flow from Agencies to the Federal Dashboard

However, while agencies reported that the program improved their network awareness, none of the three agencies had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks. In addition, although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security.

The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors. DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance.

Why GAO Did This Study

In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities.

GAO was asked to review agencies’ continuous monitoring practices. This report (1) examines the extent to which selected agencies have effectively implemented key CDM program requirements and (2) describes challenges agencies identified in implementing the requirements and steps DHS has taken to address these challenges.

GAO selected three agencies based on reported acquisition of CDM tools. GAO evaluated the agencies’ implementation of CDM asset management capabilities, conducted semi-structured interviews with agency officials, and examined DHS actions.

What GAO Recommends

GAO is making six recommendations to DHS, including to ensure that contractors provide unique hardware identifiers; and nine recommendations to the three selected agencies, including to compare configurations to benchmarks. DHS and the selected agencies concurred with the recommendations.

For more information, contact Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov.

News Network

  • Pharr man pleads guilty to smuggling multiple drugs in cardboard box
    In Justice News
    A 46-year-old Pharr man [Read More…]
  • Assistant Attorney General John C. Demers Delivers Remarks on the National Security Cyber Investigation into North Korean Operatives
    In Crime News
    Today, the Justice Department is announcing charges following a significant national security cyber investigation first disclosed publicly more than two years ago.
    [Read More…]
  • Overseas Schools Advisory Council Meeting –  Thursday, June 17, 2021
    In Crime Control and Security News
    Office of the [Read More…]
  • Gang members sentenced for assaulting federal officers
    In Justice News
    The final Houston area [Read More…]
  • On the 31st Anniversary of the Americans with Disabilities Act
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Defense Acquisitions: DOD Should Take Additional Actions to Improve How It Approaches Intellectual Property
    In U.S GAO News
    Why This Matters The Department of Defense (DOD) acquires and licenses intellectual property (IP)—such as computer software and technical data—for its cutting-edge weapon systems. Yet, DOD often does not acquire the IP it needs to operate and maintain those systems, which can lead to surging costs later. In 2019, DOD assigned specific IP responsibilities to organizations within the department. Key Takeaways DOD organizations are working to meet their assigned IP responsibilities. However, DOD has not fully addressed how the IP Cadre—DOD's new group of specialized experts—will fulfill all of its responsibilities. The IP Cadre faces uncertainty in these areas: Funding and staffing: DOD currently plans to provide the Director of the IP Cadre and his team in the Office of the Secretary of Defense (OSD) with funding for five positions through fiscal year 2023. IP Cadre members told us the temporary positions were a disincentive during the hiring process and could present future staffing obstacles. Program support: The members of the IP Cadre at OSD expect to tap into a larger pool of IP experts across DOD to support program offices by helping them develop IP strategies and negotiate with contractors, among other things. However, DOD has not yet detailed how the Director of the IP Cadre and the OSD team will work with these other experts. Expertise: DOD officials said the department lacks sufficient expertise in two key areas—IP valuation (determining its worth) and financial analysis. DOD is currently conducting a pilot project to study valuation strategies. However, DOD officials said more work is needed to provide this expertise. Determining the IP Cadre's staffing and resource needs will help DOD better position the IP Cadre for success. Department of Defense Intellectual Property Cadre How GAO Did This Study We reviewed guidance, reports, and documentation on IP issues; interviewed DOD personnel, military officials, and industry groups; and reviewed the existing regulatory and agency frameworks related to IP.
    [Read More…]
  • Owner of a Tanker Truck Repair Company Pleads Guilty to Lying to OSHA During Explosion Investigation
    In Crime News
    An Idaho man pleaded guilty today to lying to the Occupational Safety and Health Administration (OSHA) and to making an illegal repair to a cargo tanker in violation of the Hazardous Materials Transportation Act.
    [Read More…]
  • Intellectual Property: Additional Agency Actions Can Improve Assistance to Small Businesses and Inventors
    In U.S GAO News
    The U.S. Patent and Trademark Office (USPTO) offers multiple programs that help small businesses and inventors with acquiring intellectual property protections, which can help protect creative works or ideas. These programs, such as the Inventors Assistance Center, are aimed at assisting the public, especially small businesses and inventors, with intellectual property protections. Several stakeholders GAO interviewed said that USPTO programs have been helpful, but they were also not aware of some USPTO programs. Although these programs individually evaluate how they help small businesses and inventors, the agency does not collect and evaluate overall information on whether these programs are effectively reaching out to and meeting the needs of these groups. Under federal internal control standards, an agency should use quality information to achieve its objectives. Without an agency-wide approach to collect information to help evaluate the extent to which its programs serve small businesses and inventors, USPTO may not have the quality information needed to fully evaluate the effectiveness of its outreach and assistance for these groups and thus make improvements where necessary. Although the Small Business Administration (SBA) coordinates with USPTO through targeted efforts to provide intellectual property training to small businesses, it has not fully implemented some statutory requirements that can further enhance this coordination. While SBA and the Small Business Development Centers (SBDCs) coordinate with USPTO programs at the local level to train small businesses on intellectual property protection (see figure), this coordination is inconsistent. For example, two of the 12 SBDCs that GAO interviewed reported working primarily with USPTO to help small businesses protect their intellectual property, but the other 10 did not. The Small Business Innovation Protection Act of 2017 requires SBA and USPTO to coordinate and build on existing intellectual property training programs, and requires that SBA's local partners, specifically the SBDCs, provide intellectual property training, in coordination with USPTO. SBA officials reported that they are in the process of implementing requirements of this act. Incorporating selected leading practices for collaboration, such as documenting the partnership agreement and clarifying roles and responsibilities, could help SBA and USPTO fully and consistently communicate their existing resources to their partners and programs, enabling them to refer these resources to small businesses and inventors. Figure: The Small Business Administration (SBA) and the U.S. Patent and Trademark Office (USPTO) Coordinate at the Local Level, but Are Inconsistent Small businesses employ about half of the U.S. private workforce and create approximately two-thirds of the nation's jobs. For many small businesses, intellectual property aids in building market share and creating jobs. Among the federal agencies assisting small businesses with intellectual property are USPTO, which grants patents and registers trademarks, and SBA, which assists small businesses on a variety of business development issues, including intellectual property. GAO was asked to review resources available to help small businesses and inventors protect intellectual property, and their effectiveness. This report examines, among other things, (1) the extent to which USPTO evaluates the effectiveness of its efforts to assist small businesses and (2) SBA's coordination with USPTO to assist small businesses. GAO analyzed agency documents and interviewed officials who train and assist small businesses. GAO also interviewed stakeholders, including small businesses, and, among other things, reviewed federal internal control standards and selected leading practices for enhancing interagency collaboration. GAO is making four recommendations, including that USPTO develop an agency-wide approach to evaluate the effectiveness of its efforts to help small businesses and inventors, and that SBA document its partnership agreement with USPTO and clarify roles and responsibilities for coordinating with USPTO to provide training. Both agencies agreed with GAO's recommendations. For more information, contact John Neumann, (202) 512-6888, NeumannJ@gao.gov. 
    [Read More…]
  • Farm Programs: USDA Should Take Additional Steps to Ensure Compliance with Wetland Conservation Provisions
    In U.S GAO News
    What GAO Found The U.S. Department of Agriculture's (USDA) Natural Resources Conservation Service (NRCS) has taken steps to increase the consistency of their determinations about where wetlands exist on farmers' lands. For example, NRCS state offices formed teams to make such determinations in the prairie pothole region (see fig.), which covers parts of Iowa, Minnesota, North Dakota, and South Dakota. These offices also standardized their wetland determination procedures and included more details, such as the types of data that can be used to identify wetland boundaries. Under wetland conservation provisions in federal law, to receive the benefits of certain USDA farm programs, farmers must not convert wetlands to cropland. Wetlands and Cropland in the Prairie Pothole Region NRCS's primary method to ensure compliance with wetland conservation provisions is conducting annual compliance checks of selected tracts of land for farmers in USDA programs. To select tracts, NRCS draws a national random sample. The sample is to include about 1 percent of tracts subject to wetland the provisions nationally, so many tracts are not sampled for years. For 2014 through 2018, NRCS identified fewer than five farmers with wetland conservation violations per year on the approximately 417,000 tracts in North Dakota and South Dakota—the states with the most wetland acres. Agency officials said NRCS has limited resources to conduct more checks. However, some USDA agencies emphasize risk-based criteria, rather than a random sample, in selecting tracts to check for compliance with other provisions. Doing so makes the checks more efficient by targeting the tracts most likely to have violations. If NRCS used a risk-based approach for its compliance checks (e.g., using information on acres cultivated annually on tracts), it could more efficiently ensure compliance with wetland conservation provisions. If NRCS finds violations, USDA's Farm Service Agency (FSA) may withhold program benefits from farmers, or it may grant waivers to farmers who acted in good faith, without intent to commit violations. FSA granted 243 of 301 requests for good-faith waivers from 2010 to 2018, according to FSA data. FSA relies on committees of fellow farmers to decide on waivers by considering factors such as prior violations. GAO found that some committees relied on weak justification to grant waivers even if farmers had prior violations and that FSA had not specified what is adequate justification. By specifying what constitutes adequate justification, FSA could better ensure it provides benefits only to eligible farmers. Why GAO Did This Study Wetlands perform vital ecological functions, and draining them can harm water quality and wildlife habitat. Many wetlands were drained for farming before enactment of wetland conservation provisions in 1985. However, millions of acres of wetlands, known as potholes, remain in the prairie pothole region. NRCS determines where wetlands exist on the land of farmers who participate in USDA farm programs, and it identifies violations of wetland provisions. FSA administers farm program benefits. In 2017, USDA's Office of Inspector General reported that NRCS had implemented wetland determination procedures in the prairie pothole region inconsistently. GAO was asked to review USDA's implementation of wetland conservation provisions in the prairie pothole region. This report examines, among other objectives, the steps NRCS has taken to increase the consistency of wetland determinations and the approaches NRCS and FSA use to ensure compliance with the provisions. GAO reviewed agency manuals, data, and files on wetland determinations and waivers, and interviewed agency officials and stakeholder groups.
    [Read More…]
  • Justice Department Announces Multi-Million Dollar Civil Settlement in Principle in Mother Emanuel Charleston Church Mass Shooting
    In Crime News
    Today, the Department of Justice announced that it has reached an agreement in principle to settle the civil cases arising out of the June 2015 Mother Emanuel AME Church mass shooting in Charleston, South Carolina.
    [Read More…]
  • Montana Federal Court Finds Tax Shelter Promoter Liable for Over $8 Million in Penalties for Timeshare Donation Scheme
    In Crime News
    On Dec. 16, following a bench trial in May 2021, a federal court in the District of Montana ruled that James Tarpey, a Montana-based attorney, is liable for approximately $8,465,000 in penalties for promoting a tax shelter involving improper deductions for donating timeshares.
    [Read More…]
  • Panama’s Independence Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Panama investigation leads to local child pornography plea
    In Justice News
    An 18-year-old [Read More…]
  • Workrite Companies to Pay $7.1 Million to Settle Alleged Furniture Overcharges
    In Crime News
    Ergonomic office furniture maker Workrite Ergonomics LLC, a Delaware company, and its parent, Knape & Vogt Manufacturing Co. (collectively, Workrite), have agreed to pay $7.1 million to resolve allegations under the False Claims Act that they overcharged the federal government for office furniture under General Services Administration (GSA) contracts, the Department of Justice announced today. 
    [Read More…]
  • Former Supplement Company Owner Pleads Guilty to Unlawful Distribution of Anabolic Steroids and Steroid-like Drugs
    In Crime News
    A Georgia resident and his company pleaded guilty today to a felony charge relating to the distribution of anabolic steroids and steroid-like drugs in purported dietary supplements.
    [Read More…]
  • June 23, 2021, letter commenting on AICPA’s Professional Ethics Executive Committee’s Proposed Interpretations and Definition of the AICPA Code of Professional Conduct, Responding to Non-Compliance with Laws and Regulations
    In U.S GAO News
    This letter provides GAO's comments on the proposed interpretation and definition entitled Responding to Non-Compliance with Laws and Regulations, which the American Institute of Certified Public Accountants (AICPA) prepared. GAO provides standards for performing high-quality audits of government organizations, programs, activities, and functions and of government assistance received by contractors, nonprofit organizations, and other nongovernment organizations with competence, integrity, objectivity, and independence.1 These standards, often referred to as generally accepted government auditing standards (GAGAS), are to be followed by auditors and audit organizations when required by law, regulation, agreement, contract, or policy. For financial audits, GAGAS incorporates by reference the AICPA's Statements on Auditing Standards. For attestation engagements, GAGAS incorporates by reference the AICPA's Statements on Standards for Attestation Engagements.
    [Read More…]
  • Justice Department Files Title VII Sex Discrimination Lawsuit Against Alabama Sheriff’s Office and the Mobile County Sheriff
    In Crime News
    The Department of Justice announced today that it has filed a lawsuit against the Mobile County Sheriff’s Office, Alabama’s second-largest sheriff’s office, and the Mobile County Sheriff, in his official capacity (collectively, MCSO).
    [Read More…]
  • Assistant Secretary for East Asian and Pacific Affairs Daniel J. Kritenbrink and Senior Official for International Organizational Affairs Erica Barks-Ruggles on the Secretary’s Upcoming Travel to the United Kingdom, Indonesia, Malaysia, Thailand, and Hawaii
    In Crime Control and Security News
    Daniel J. Kritenbrink, [Read More…]
  • Two Former Louisiana Correctional Officers Sentenced for Cover Up Following Death of an Inmate
    In Crime News
    Two Louisiana women, former jail deputies, were sentenced today to over a year in prison and six months in prison respectively for their roles in covering up a civil rights violation arising out of an inmate’s death at the St. Bernard Parish Prison (SBPP).
    [Read More…]
  • Czech Republic National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.