Evaluation of DHS' Information Security Program for Fiscal Year 2019

DHS’ information security program was not effective for Fiscal Year 2019 because the Department earned a maturity rating of “Ad Hoc” (Level 1) in three of five functions, compared to last year’s higher overall rating of “Managed and Measurable” (Level 4). We attributed DHS’ regression in managing its information security program to its recent decision to permit the Coast Guard to submit its cybersecurity and Federal Information Security Management Act (FISMA) reports to the Department of Defense rather than to DHS. This decision adversely affects Department senior leadership’s ability to make informed and risk-based decisions on essential cybersecurity activities such as risk management, weakness remediation, system inventory, incident reporting, and continuous monitoring. We made five recommendations. The Department concurred with all five recommendations.