Management Alert - CISA and FLETC Did Not Take Action to Protect Personally Identifiable Information and Sensitive Law Enforcement Training Curricula

During our ongoing audit of the Department of Homeland Security’s learning management system (DHSLearning), we identified a significant risk to the operations, assets, and individuals at the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Law Enforcement Training Centers (FLETC). We are issuing this management alert to advise CISA and FLETC to take immediate action to mitigate risks associated with using a high-risk contractor (Contractor A) to supply their learning management systems. A DHS internal investigation identified Contractor A as having poor cybersecurity practices. By not taking action to mitigate the control deficiencies, CISA and FLETC may be putting sensitive personally identifiable information (PII) and sensitive law enforcement training information stored and processed by CISA and FLETC’s learning management systems at risk of compromise.