DHS has begun taking steps to understand the cyber risk to building and access control systems of federal facilities, but significant work remains, GAO has said.
DHS lacks a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the department, according to GAO-15-6.
It says GSA also has not fully assessed the risk of building control systems to a cyber attack in a manner that is consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. (GSA plans to complete assessments of all 1,500 FPS protected facilities in 2015, though GAO said the assessments it reviewed were inconsistent or incomplete.)
An official with the National Protection and Programs Directorate GAO contacted characterized cyber threats to these systems as an emerging issue, and another in the Interagency Security Committee – which is responsible for developing physical security standards for non-military facilities – said recent active shooter and workplace violence incidents have caused it to focus its efforts on policies in those areas first, according to the report.
GAO called on DHS to develop and implement a strategy to address cyber risk to building and access control systems as well as to direct ISC to revise its Design-Basis Threat report to include cyber threats to building and access control systems.
It further called on GSA to assess cyber risk of its building control systems fully reflecting FISMA and its guidelines.
