Sen. Tom Carper sees positive signs in DHS's FISMA audit.

The latest Federal Information Security Management Act audit of the Department of Homeland Security furnishes fodder for both sides of the argument over whether Congress should codify Obama administration actions that have granted DHS sway over other federal civilian agencies.

Legislation to reform FISMA, the law that governs federal information security, and other cybersecurity-related bills have stalled in the Senate, in part, because of concerns from some lawmakers - mostly Republicans - about whether DHS should enforce IT security standards for other civilian agencies, as the president has directed.

The new inspector general report "makes it clear that significant progress has been made in enhancing DHS's information security efforts," says Sen. Tom Carper, D-Del., who chairs the Senate Homeland Security and Governmental Affairs Committee, which provides oversight over federal government IT security. "Despite these gains, though, [the inspector general] highlighted some very important areas in which DHS, like many other federal agencies, can and should improve."

But the ranking member of the committee, Republican Sen. Tom Coburn of Oklahoma, was far less charitable than the chairman, saying the audit shows gaps in DHS's own cybersecurity, including some basic protections "that would be obvious to any 13-year-old with a laptop. President Obama has called on the private sector to improve its cybersecurity practices to ensure that our nation's critical infrastructure is not vulnerable to an attack. DHS and other agencies must be held to at least the same standard."

The Strengths

In DHS's annual FISMA audit, Assistant Inspector General Frank Deffer credits DHS for creating a process to help improve IT security through a new risk management approach that transitions DHS from a static, paper-driven, security authorization process to a dynamic framework "that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports and hardware and software inventories."

Deffer says DHS developed and implemented an information security performance plan that defines performance requirements, priorities and overall goals for the department and has taken actions to address the administration's cybersecurity priorities, which include the implementation of trusted Internet connections (see What's Happening with the Trusted Internet Connection?), continuous monitoring and strong authentication.

One role the Obama administration has given DHS in aiding other agencies is the implementation of continuous monitoring to assure the security of government IT systems. The Continuous Diagnostic and Mitigation program, part of a $6 billion initiative, is headed by John Streufert, director of Federal Network Resilience within DHS's National Protection and Programs Directorate and former State Department chief information security officer (see Feds Tackle Continuous Monitoring).

"While these efforts have resulted in some improvements, components are still not executing all of the department's policies, procedures and practices," Deffer says, referring to units within DHS.

Areas of Concern

The IG review also identified what Deffer characterizes as "more significant exceptions to strong and effective information security," including systems operated without proper authorization, plans of action and milestones not being created for known IT security weaknesses and baseline security configuration settings not being implemented for all systems.

Deffer also says DHS needs to improve incident detection and analysis, specialized training, account and identity management and contingency planning.