The Department of Homeland Security Headquarters (HQ) did not adequately secure a non-Tier 1 High Value Asset (HVA) system used to support data analysis and reporting on DHS component operations, which rendered the system and its sensitive information vulnerable to cyberattacks. Although DHS HQ developed policies and procedures meant to reduce risks to sensitive information stored on the HVA system and effectively implemented certain controls, we determined the system did not meet security requirements. We identified nine unique critical and high-risk vulnerabilities that appeared 182 times in the system and, through simulated cyberattack penetration testing, were able to exploit vulnerabilities. The vulnerabilities we identified pose significant security risks, increasing the likelihood an attacker could gain access to sensitive information. These deficiencies demonstrate that DHS HQ needs to strengthen its management of the HVA system. Ensuring the system complies with the Department’s security and privacy policies will better protect the sensitive information processed by the system. Until these deficiencies are addressed, DHS HQ may not be equipped to protect the HVA system and cannot ensure it will be able to quickly respond to and recover from a cyberattack.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer require the High Value Asset system owner to apply security updates and software patches to remediate vulnerabilities on all devices in accordance with applicable DHS policies. | |||||
| 2 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer require the High Value Asset system owner to perform configuration testing and verify that all approved settings are implemented. | |||||
| 3 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer require the High Value Asset system owner to implement multifactor authentication for all database and application programming interface accounts. | |||||
| 4 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer direct the High Value Asset system owner to ensure user accounts are reviewed annually. | |||||
| 5 | No | $0 | $0 | ||
| We recommend the DHS Office of the Chief Information Officer confirm the current enterprise learning management system adequately retains documentation to demonstrate users’ compliance with security awareness training, privileged user training, and role-based training. | |||||
