Cybersecurity

Homeland Security's IT security continues to fall short

The Office of Inspector General (OIG) has released its “Evaluation of DHS' Information Security Program for Fiscal Year 2017” (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.

When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.

The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”