USCIS Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

We determined that USCIS did not apply the IT access controls needed to restrict unnecessary access to its systems, networks, and information. Specifically, USCIS did not consistently manage access for personnel, service accounts, and privileged users. We attribute these deficiencies to insufficient internal controls and day-to-day oversight to ensure access controls are administered appropriately and effectively to prevent unauthorized access. Additionally, we determined USCIS did not implement all the required security settings and updates for its IT systems and workstations to help reduce the risks that may result from an access control weakness. Although USCIS systems and workstations were generally compliant with required security standards, not all required settings and updates were implemented due to concerns that they may negatively impact system operations. Lastly, we determined that while USCIS appropriately relied on departmental guidance for access control policies and procedures, the guidance was outdated and did not include the latest Federal requirements. These deficiencies may limit the Department’s ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations. We made 10 recommendations to improve USCIS’ access controls and system security and DHS’ access control guidance. USCIS and DHS concurred with all 10 recommendations.