The Department of Homeland Security Office of Intelligence and Analysis (I&A) and Office of the Chief Information Officer (OCIO) did not effectively manage and secure I&A mobile devices, resulting in vulnerabilities and a higher risk of cyberattacks, unauthorized access to sensitive information, and waste. • Two I&A-developed apps used to share intelligence with law enforcement and first responders had three vulnerabilities known to I&A but not remediated, risking exploitation. • 76 percent of apps installed on I&A mobile devices pose security risks, are prohibited, or allow prohibited activities. • I&A and OCIO did not ensure I&A devices were authorized and protected for use outside of the United States, increasing the risk of exploitation by foreign adversaries. • I&A accounted for only 11 percent of mobile devices recorded in OCIO’s asset management system as issued to I&A staff, and OCIO did not properly sanitize disposed-of I&A mobile devices, risking protection of sensitive information. • 27 percent of mobile device and 44 percent of mobile device management system security settings did not comply with DHS requirements, exposing devices to cybersecurity risks such as unauthorized access and data breaches. These deficiencies occurred in part because I&A did not address known vulnerabilities in mobile apps. Additionally, OCIO did not establish or enforce security policies and procedures for mobile devices and supporting infrastructure, and in some cases had not identified vulnerabilities. Also, I&A’s foreign travel policy was outdated, and OCIO had not implemented separate security controls for I&A devices used for international travel. Data Access: OCIO denied us direct access to ServiceNow, which precluded an independent, comprehensive review of the data.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer implement all necessary mobile device security countermeasures in accordance with guidance from DHS and the Defense Information System Agency’s Security Technology Implementation Guides. | |||||
| 2 | No | $0 | $0 | ||
| We recommend I&A’s Directorate of Technology and Data Services implement controls to address identified custom-developed application vulnerabilities and weaknesses. | |||||
| 3 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer develop and implement policies and procedures to ensure component custom-developed applications have been evaluated and do not have unmitigated vulnerabilities. | |||||
| 4 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer remove applications from component mobile devices that are prohibited by DHS policy, applications with unmitigated security risk, and applications that do not meet business needs. | |||||
| 5 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer develop and implement policies and procedures to ensure: • all user-installed applications are evaluated for security risks to the mobile device or data security and for compliance with Department policy before allowing their use; and • user-installed applications are managed and monitored on a routine basis. | |||||
| 6 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer develop and implement policies and procedures to improve the vulnerability management process and to ensure: • tools used for credentialed scans can detect known vulnerabilities; • credentialed scans are completed and assessed in accordance with DHS guidance; • plans to address vulnerabilities are created and implemented promptly in accordance with DHS guidance; and • the risk of noncompliant enterprise-level system settings is formally accepted or mitigated. | |||||
| 7 | No | $0 | $0 | ||
| We recommend I&A’s Directorate of Technology and Data Services update its policies and procedures for notification of official foreign travel to incorporate DHS Office of the Chief Information Officer guidance and ensure mobile devices receive proper authorization for international travel. | |||||
| 8 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer develop and implement policies and procedures to ensure mobile devices are configured with minimal features and applications based on mission needs. | |||||
| 9 | No | $0 | $0 | ||
| We recommend I&A’s Directorate of Technology and Data Services coordinate with DHS Office of the Chief Information Officer to develop and implement a memorandum of understanding that clearly defines roles, responsibilities, and accountability for the inventory management of I&A mobile devices. | |||||
| 10 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer update and implement policies and procedures to improve its mobile device management to ensure: • OCIO-issued mobile devices are enrolled in the mobile device management system; • documentation is required for devices that receive waivers from the policy; • all reported lost, stolen, and disposed-of I&A mobile devices are unenrolled from the mobile device management system; • all lost or stolen mobile devices and those I&A no longer needs are reported to the Office of the Chief Information Officer to be remotely wiped by the mobile device management system; and • all mobile devices are sanitized before they are released from Office of the Chief Information Officer custody for disposal. | |||||
| 11 | No | $0 | $0 | ||
| We recommend I&A’s Directorate of Technology and Data Services coordinate with the DHS Office of the Chief Information Officer to develop and implement policies and procedures to improve the management of mobile services and ensure: • all mobile devices without a business need are unenrolled from mobile services; • mobile service overage charges are incurred in support of mission needs; and • mobile device use is routinely monitored and reported to prevent paying for unnecessary devices and services. | |||||
