The IG made five recommendations to the chief information officer that it says the department has already begun acting on.
It called on the CIO to improve the Office of Information Security’s review process to ensure that all POAs and milestones are complete, accurate and current, as well as review them to identify causes for recurring and similar weaknesses across the department and determine whether delays are reasonable.
DHS agreed and said its fiscal 2008 performance plan would incorporate additional requirements to address classified systems and unreasonable delays, and the IG added that the department significantly improved component POA and milestone oversight in fiscal 2007.
The report recommended that DHS improve OIS’s review process to ensure all certification and accreditation documents are properly prepared before a system is accepted by the CISO as "accredited," something DHS agreed with. The department said it would incorporate additional requirements to address artifact completeness and further identify weaknesses in action plans and milestones.
The IG also called on DHS to establish a process to ensure that configuration requirements are implemented and maintained on all systems, to implement a department-wide vulnerability assessment program to perform periodic testing to evaluate DHS’ security posture, and to establish appropriate training for all individuals with significant security responsibilities. DHS agreed with these recommendations as well.
The department’s fiscal 2008 performance plan will incorporate additional requirements to address a monitoring process for configuration requirements at the system level, and for validating that components are completing annual vulnerability scans, according to the report.
It said the DHS Security Operations Center has begun performing component vulnerability assessments and will continue to perform them in fiscal 2008.
The report also said the department provides specialized training at its Security Conference, and that its fiscal 2008 performance plan will incorporate additional requirements to track individuals and establish appropriate training.
