The Homeland Security Department—the government’s point agency for cybersecurity—fell short of top marks in three of five areas in the annual information security assessment, according to a report released Monday.
The 2017 Federal Information Security Management Act report rates the department’s various cybersecurity capabilities on a scale of 1 through 5, with the lowest score, 1, representing an “ad-hoc” use of information security and the highest being an “optimized” cybersecurity posture.
“Per the FY 2017 reporting instructions, Level 4, ‘managed and measureable,’ represents an effective cybersecurity function,” Homeland Security’s inspector general wrote. “Where an agency achieves Level 4 in the majority of the five cybersecurity functions evaluated, its information security program may be considered effective overall.”
The department fell just short of that target. Of the five categories assessed—identify, protect, detect, respond and recover—Homeland Security achieved Level 4 in two and Level 3 in the remaining three areas.
The department achieved Level 4 cleanly in the incident response category with no additional recommendations from the inspector general. Auditors also gave the department a Level 4 designation for its ability to identify risk areas but qualified that score, as a number of classified and unclassified systems are still running without updated authorities to operate, or ATOs.
As of June 2017, 64 systems were running without security authorizations, including 16 integral to national security and 48 unclassified systems. While problematic, these numbers are down significantly year over year, from 79 unclassified systems operating without ATOs in 2016 and 203 in 2015.
The department has a goal of 100-percent compliance for its high-value systems and 95 percent compliance for lower value assets within each of its component agencies. For high-value systems, the Federal Emergency Management Agency, Immigration and Customs Enforcement, the National Protection and Programs Directorate—which oversees critical governmentwide cybersecurity initiatives—and the Coast Guard all fell short. For non-high-value assets, Homeland Security headquarters, the Federal Law Enforcement Training Center, ICE and NPPD missed the mark.