The Department of Homeland Security Office of Intelligence and Analysis (I&A) and Office of the Chief Information Officer (OCIO) did not effectively manage and secure I&A mobile devices, resulting in vulnerabilities and a higher risk of cyberattacks, unauthorized access to sensitive information, and waste. • Two I&A-developed apps used to share intelligence with law enforcement and first responders had three vulnerabilities known to I&A but not remediated, risking exploitation. • 76 percent of apps installed on I&A mobile devices pose security risks, are prohibited, or allow prohibited activities. • I&A and OCIO did not ensure I&A devices were authorized and protected for use outside of the United States, increasing the risk of exploitation by foreign adversaries. • I&A accounted for only 11 percent of mobile devices recorded in OCIO’s asset management system as issued to I&A staff, and OCIO did not properly sanitize disposed-of I&A mobile devices, risking protection of sensitive information. • 27 percent of mobile device and 44 percent of mobile device management system security settings did not comply with DHS requirements, exposing devices to cybersecurity risks such as unauthorized access and data breaches. These deficiencies occurred in part because I&A did not address known vulnerabilities in mobile apps. Additionally, OCIO did not establish or enforce security policies and procedures for mobile devices and supporting infrastructure, and in some cases had not identified vulnerabilities. Also, I&A’s foreign travel policy was outdated, and OCIO had not implemented separate security controls for I&A devices used for international travel. Data Access: OCIO denied us direct access to ServiceNow, which precluded an independent, comprehensive review of the data.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Homeland Security | Deficiencies in I&A Mobile Device Security Create Vulnerabilities, Place Information at Increased Risk | Audit | Agency-Wide | View Report | |
| Department of Justice | Audit of the Office on Violence Against Women Grant to Reduce Domestic Violence, Dating Violence, Sexual Assault and Stalking on Campus Program Awarded to Arcadia University, Glenside, Pennsylvania | Audit |
|
View Report | |
| Environmental Protection Agency | Audit of Environmental Finance Centers Providing Water Infrastructure Technical Assistance in EPA Region 4 | Audit | Agency-Wide | View Report | |
| Department of War | Evaluation of DoW Voting Assistance Programs for Calendar Year 2025 | Inspection / Evaluation | Agency-Wide | View Report | |
| Internal Revenue Service | IRS Needs to Improve Oversight of the Special Agent Criminal Investigative Techniques Training Program | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of the Treasury | Final Determination on Corrective Actions for the Desk Review of Baltimore County, Maryland’s Use of Coronavirus Relief Fund Proceeds (OIG-CA-25-004) | Other | Agency-Wide | View Report | |
| Department of Justice | Audit of the Office of Justice Programs Bureau of Justice Assistance Comprehensive Opioid, Stimulant, and Substance Use Program Grants Awarded to the City of Newburyport, Newburyport, Massachusetts | Audit |
|
View Report | |
| Environmental Protection Agency | Evaluation of Trends in Resource Conservation and Recovery Act State-Level Enforcement Data | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of Homeland Security | DHS Wildfire Sensors Did Not Consistently Detect Fires and Provide Early Warning | Audit | Agency-Wide | View Report | |
| National Archives and Records Administration | Management Alert: IT Access Control Vulnerabilities for OIG Electronic Records | Other | Agency-Wide | View Report | |
