U.S. Customs and Border Protection (CBP) did not effectively manage and secure its mobile devices, resulting in vulnerabilities and higher susceptibility to cyberattacks, potential unauthorized access to law enforcement and operational sensitive information, and waste and abuse from under- or over-usage. Specifically, we found that CBP did not: • Consistently implement required security settings to protect its mobile devices or mitigate risks from applications installed on these devices; • Use its mobile device management system to fully manage and secure its mobile devices; • Address software vulnerabilities within the mobile device management system; • Increase monitoring and protection for devices used outside the United States, which are at a higher risk of cyberattacks; • Perform required steps to reduce risks associated with the disposal, loss, or theft of its mobile devices; and • Monitor its mobile devices for under- or over-usage. CBP allowed mobile devices to operate without completing a security authorization process to ensure required security controls; did not establish or implement sufficient security policies and processes; relied on unclear or contradictory guidance; and did not address its increased mobile device losses. Moreover, the Department did not provide oversight to ensure that CBP fulfilled DHS requirements for monitoring mobile devices outside the United States and CBP did not enforce its policies.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend that CBP OCIO implement all necessary mobile device configuration settings in accordance with guidance from DHS and the Defense Information System Agency’s Security Technology Implementation Guides. | |||||
| 2 | No | $0 | $0 | ||
| We recommend that CBP OCIO implement controls to address the identified custom-developed application vulnerabilities and create plans of action or waivers for identified weaknesses. | |||||
| 3 | No | $0 | $0 | ||
| We recommend that CBP OCIO remove from mobile devices all applications that are prohibited by DHS policy, applications with unmitigated security risks, and applications that do not meet CBP’s business needs. | |||||
| 3 | No | $0 | $0 | ||
| We recommend that CBP OCIO remove from mobile devices all applications that are prohibited by DHS policy, applications with unmitigated security risks, and applications that do not meet CBP’s business needs. | |||||
| 4 | No | $0 | $0 | ||
| We recommend that CBP OCIO develop and implement policies and procedures to ensure: • all user-installed applications are evaluated for security risks to the mobile device and its data and comply with Department policy before allowing for use; and • user-installed applications are managed and monitored on a routine basis. | |||||
| 5 | No | $0 | $0 | ||
| We recommend that CBP OCIO develop and implement policies and procedures to ensure CBP-issued mobile devices are managed and monitored by its MDM in accordance with Department policy, specifically to ensure: • CBP-issued mobile devices are enrolled in the MDM; • documentation is required for devices that receive waivers from the policy; and • devices that are enrolled in the MDM but not fully supervised are remediated. | |||||
| 6 | No | $0 | $0 | ||
| We recommend that CBP OCIO unenroll all compromised mobile devices from the MDM. | |||||
| 7 | No | $0 | $0 | ||
| We recommend that CBP OCIO develop and implement policies and procedures to ensure mobile devices identified as compromised by the MDM are remediated in a timely manner. | |||||
| 8 | No | $0 | $0 | ||
| We recommend that CBP OCIO develop and implement policies and procedures to improve the vulnerability management process and to ensure: • credentialed scans are completed and assessed in accordance with DHS guidance; • credentialed scan failures are properly and promptly reported to DHS in accordance with DHS guidance; plans to address vulnerabilities are created and implemented promptly in accordance with DHS guidance; and • the risk of noncompliant enterprise-level system settings is formally accepted or mitigated. | |||||
| 9 | No | $0 | $0 | ||
| We recommend that CBP OCIO develop and implement policies and procedures to monitor and block unauthorized network access attempts from CBP mobile devices operating in foreign locations. | |||||
| 10 | No | $0 | $0 | ||
| We recommend that CBP OCIO implement policies and procedures to protect CBP-issued mobile devices used on international travel in accordance with DHS guidance and to ensure: • required security assessments are performed to determine whether to allow employees to travel to foreign locations with CBP-issued mobile devices; • mobile devices receive proper authorization for international travel; • mobile devices have the most recent operating system installed; • mobile devices are configured with minimal features and applications based on mission needs; and • mobile devices are inspected and approved for reuse before reconnecting to a DHS network after returning from overseas use. | |||||
| 11 | No | $0 | $0 | ||
| We recommend that CBP OFAM update and implement policies and procedures to improve the safeguarding of sensitive assets and to ensure: • all lost asset incidents involving suspected employee negligence are referred to the Personal Property Management Oversight Board for review and adjudication and that records accurately reflect all applicable actions; • additional training is required for CBP personnel who do not properly safeguard sensitive assets; and • additional training is provided for local property officers on requirements for the disposal and retirement of assets. | |||||
| 12 | No | $0 | $0 | ||
| We recommend that CBP OFAM improve property management oversight activities to ensure: • program offices are notified of property management deficiencies; • program offices develop corrective action plans to address reported property management deficiencies; • corrective action plans are adjudicated and the adjudication of such plans is documented; and • program offices implement adjudicated corrective action plans. | |||||
| 13 | No | $0 | $0 | ||
| We recommend that CBP OFAM coordinate with CBP OCIO to update and implement policies and procedures to improve its mobile device management to ensure: • all reported lost and disposed-of mobile devices are unenrolled from the mobile device management system; • all lost mobile devices and those CBP no longer requires are timely reported to OIT for sanitization; and • all mobile devices are sanitized before they are released from CBP custody for disposal. | |||||
| 14 | No | $0 | $0 | ||
| We recommend that CBP OCIO enforce existing policy and develop procedures to improve the management of mobile services to ensure: • all mobile devices without a business need are unenrolled from mobile services; • mobile service overage charges are incurred in support of mission needs; and • all program offices routinely monitor and report mobile device usage to prevent paying for unnecessary devices and services. | |||||
