The Cybersecurity and Infrastructure Security Agency (CISA) did not implement effective controls for the selected High Value Asset (HVA) system per Federal and departmental requirements. CISA developed policies and procedures to reduce risks to sensitive information stored on the selected HVA system. However, we identified security deficiencies in two of eight security and privacy controls required by the National Institute of Standards and Technology pertaining to:
•
access controls; and
•
awareness and training.
These deficiencies occurred because CISA did not have effective continuous monitoring of the selected HVA system. Without effective controls, CISA could not be assured that sensitive information stored and processed by the selected HVA system was protected and secured.
Date Issued
Submitting OIG
Department of Homeland Security OIG
Agencies Reviewed/Investigated
Department of Homeland Security
Report Number
OIG-25-08
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
1
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
Open Recommendations
This report has 1 open recommendations.
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
We recommend the CISA Director strengthen CISA’s Tier 1 High Value Asset Assessment Process to include the major security threats that it identifies in its alerts and notifications to Federal agencies as part of the assessment. |