By Daniel Pulliam
dpulliam at govexec.com
July 11, 2005
The Homeland Security Department has yet to establish an adequate
information security program, congressional auditors found after
spending nearly a year reviewing its cybersecurity policies and plans.
Since the formation of Homeland Security in 2003, the department has
struggled to manage its various components' computer systems,
according to a new Government Accountability Office report. Complying
with the 2002 Federal Information Security Management Act and guidance
from the Office of Management and Budget for securing computer systems
has proven to be difficult. Failure to implement established security
policies has limited the department's ability to protect its
information, the report (GAO-05-700)  stated.
"Until DHS addresses these weaknesses and fully implements a
comprehensive, departmentwide information security program, its
ability to protect the confidentiality, integrity and availability of
its information and information systems will be limited," the report
The report, requested by Sen. Joseph Lieberman, D-Conn., ranking
member of the Senate Homeland Security and Governmental Affairs
Committee, commended DHS for making "significant progress in
developing and documenting a departmentwide information security
program," but noted that weaknesses continue to threaten the security
of its computer systems.
On Monday, Lieberman urged the department to follow GAO's
"How can the department possibly protect the nation's critical
cyberstructure if it cannot keep its own house in order?" Lieberman
said. "More than two years after the department was formed, it should
have a better grasp on protecting its own systems and information."
The 36-page review assessed four major DHS components - the US VISIT
program, the Immigration and Customs Enforcement bureau, the
Transportation Security Administration, and the Emergency Preparedness
and Response division-- in five areas of security practices and
In the five areas - assessing risks, security plans, security testing
and evaluations, corrective action plans, and continuity of operation
plans - no component was satisfactory in more than two areas.
The report stated that DHS has developed policies that could serve as
a framework for a security program, but gaps in those plans prevent
Homeland Security received an F grade in cybersecurity  along with
seven other agencies rated by a congressional committee in February.
In a response to the GAO report, Robert West, DHS chief information
security officer, wrote that the department is doing more than just
documenting an information security program.
West cited the success of a pilot certification and accreditation
program and a departmentwide inventory of systems and applications,
scheduled to be completed in August.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.