The Department of Homeland Security has taken necessary steps to fix previously identified internal cybersecurity deficiencies, the agency’s watchdog said in its semi-annual report to Congress June 5.
In a March summary of DHS’ compliance with Federal Information Security Modernization Act requirements for intelligence systems, the agency’s Office of Inspector General said it found deficiencies in the department’s overall patch management process and shortfalls with the Cybersecurity and Infrastructure Security Agency’s weakness remediation and security awareness training activities. At the time, the inspector general said DHS concurred with all three recommendations. Neither report went into specifics on the recommendations nor the fixes.
In the semi-annual report, the DHS OIG reported one recommendation closed and two others resolved.
The report also said that DHS’ information security program for Top Secret/Sensitive Compartment Information intelligence system was ”effective” in three of five cybersecurity functions, but did not go into specifics on what five functions were measured, or which two were not marked “efficient.”
The Cybersecurity and Infrastructure Security Agency and DHS declined to comment on the report or specific recommendations. The Office of Inspector General did not respond to requests seeking more details on the report.
The report also notified lawmakers that the Federal Emergency Management Agency agreed to investigate the extent of a March data breach in which personal information of 2.3 million hurricane and wildfire survivors was given to an unidentified FEMA contractor.
The inspector general said FEMA agreed to create a process to protect disaster survivors “more effectively” in the future and implement tools to ensure that only required survivor data is provided to contractors. In a statement, FEMA said that it has reviewed the contractor’s information system and is no longer sharing unnecessary information with the contractor.
“To date, FEMA has found no indicators to suggest survivor data has been compromised,” a FEMA spokesperson said. “FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”
This story has been updated to include a statement from FEMA.