U.S. Immigration and Customs Enforcement (ICE) did not effectively manage and secure its mobile devices or the infrastructure supporting the devices. Specifically, ICE did not implement security settings required to protect its mobile devices and did not mitigate vulnerabilities from applications installed on these devices. In addition, ICE did not use its Mobile Device Management software and other threat defense tools to fully manage and secure some mobile devices and did not address vulnerabilities within the Mobile Device Management software and the servers supporting it. Further, ICE did not implement increased monitoring and protection for devices used outside the United States, which were at a higher risk of cyberattacks. Finally, ICE did not always perform required steps to reduce risks associated with disposal, loss, or theft of its mobile devices.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer implement all necessary mobile device security settings per guidance from DHS and the Defense Information Systems Agency’s Security Technology Implementation Guides. | |||||
| 2 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer develop and implement policies and procedures to ensure source code scans are performed on ICE-developed applications as required. | |||||
| 3 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer develop and implement policies and procedures to improve the vulnerability management process to ensure:• credentialed scans are completed and assessed, per DHS guidance;• limitations posed by non-credentialed scans are properly and promptly reported per DHS guidance;• plans to address vulnerabilities are created and implemented promptly, per DHS guidance; and• formal acceptance of, or mitigate the risk of, noncompliant enterprise-level system settings. | |||||
| 4 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer develop and implement policies and procedures to monitor and block unauthorized network access attempts from mobile devices in foreign locations. | |||||
| 5 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer revise and implement policies and procedures to protect ICE-issued mobile devices that have been authorized for use on international travel, per DHS and National Institute of Standards and Technology guidance. | |||||
| 6 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer develop and implement policies and procedures to protect ICE-issued mobile devices used by employees permanently stationed outside the United States. | |||||
| 7 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer update and implement policies and procedures to ensure mobile devices are sanitized before they are released from ICE custody for disposal. | |||||
| 8 | No | $0 | $0 | ||
| We recommend that the ICE Office of the Chief Information Officer update and implement clear policies and procedures to ensure all lost and stolen mobile devices are treated as security incidents and the associated incident tickets are routed to the ICE Security Operations Center. | |||||
