DHS continuous monitoring can't automatically track devices or connections

Tools

Continuous monitoring at the Homeland Security Department lacks a real-time and fully-automated system tracking capability, the DHS office of inspector general says.

In an annual assessment (.pdf) dated Oct. 24 of the DHS information security program required under the Federal Information Security Management Act, auditors note several areas where DHS has yet to fully automate matters, including the tracking of network devices, external connections and software applications.

The department also manually tracks its cloud-based systems inventory, auditors say, keeping external systems outside its enterprise management inventory tools.

Continuous monitoring is one of three cybersecurity priorities identified by the Obama administration in a March 7 report (.pdf), auditors note, the others being a consolidation of pathways to the Internet under the Trusted Internet Connections effort and identification authentication.  

When it comes to identity and access management, auditors say DHS lacks the capacity to centrally identify users and devices and mostly doesn't use the smart cards required for all federal agencies under Homeland Security Presidential Directive 12 for network access. DHS has yet to employ HSPD-12 complaint cards for access to classified systems, auditors add.

The report doesn't directly address DHS status with the TIC program. In fact, when identifying what they characterize as the most significant problems, auditors say they lie elsewhere from administration priorities. Namely, system authorizations to operate documents lacking key information, plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner; and baseline security configurations are not being implemented for all systems.  

The overall quality of authorization documents did improve during fiscal 2012, auditors say, but auditor say they found six classified systems operating with an expired ATO, some of them not having a current ATO since 2007. A review of ATOs for 20 sensitive but unclassified and 5 secret system ATOs showed that 17 lacked documentation for elements such as operational and configuration security controls.

Nearly all, 98 percent, of 41 POA&Ms for secret systems were delayed--88 percent had been delayed by at least three months and 30 percent had been delayed by more than a year, say auditors.

In addition, component chief information security officers aren't monitoring the status of their high priority POA&Ms, auditors say, citing the fact that as of June 30, 2012, only 55 percent of 241 priority 4 and 5 POA&Ms have been reviewed and approved by a component CISO.

When it comes to compliance baseline security configurations--which typically is problematic among federal agencies since the baseline may interfere with local applications--auditors say that Customs and Border Protection, the Federal Emergency Management Agency and Immigration and Customs Enforcement have implemented fewer than 70 percent of the required baseline settings on their Windows XP machines.

A majority of workstations at DHS run on Windows XP, auditors say; Microsoft will stop supporting XP on Aug. 4, 2014.  

Auditor say vulnerability scans on databases and servers also showed that components aren't applying security patches in a timely manner, with some servers running antivirus software whose definitions were last updated in August 2011 and some security patches for operating systems and applications simply missing.

For more:
- download the report, OIG-13-04 (.pdf)

Related Articles:
OMB has authority to make federal cybersecurity more dynamic, says report 
Survey: CyberScope, CyberStat not helping agencies 
Continuous monitoring bill would cost $710M to implement says CBO