Despite recent efforts to mitigate cybersecurity risks to networks supporting the nation’s critical infrastructure, the U.S. Department of Homeland Security (DHS) has “not taken sufficient actions” to accomplish that goal, according to a Government Accountability Office (GAO) report released on Tuesday.
Highlighting positive steps to secure federal and public-sector computer networks, GAO noted DHS provides limited intrusion detection and prevention capabilities across the federal government, issues binding operational directives to bolster cybersecurity and serves as the go-between for public-private cybersecurity information sharing. Additionally, DHS promotes use of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and has partially identified gaps in its cybersecurity workforce.
“Nevertheless, the department has not taken sufficient actions to ensure that it successfully mitigates cybersecurity risks on federal and private-sector computer systems and networks,” GAO stated. “For example, GAO reported in 2016 that DHS’s National Cybersecurity Protection System (NCPS) had only partially met its stated system objectives of detecting and preventing intrusions, analyzing malicious content and sharing information. GAO recommended that DHS enhance capabilities, improve planning and support greater adoption of NCPS.”
GAO concluded that DHS needs to do a better job of assessing the effectiveness of cybersecurity risk mitigation activities with private-sector infrastructure partners. The report also found that while the DHS National Cybersecurity and Communications Integration Center performs required functions like sharing timely cybersecurity information, DHS has failed to adopt earlier recommendations to “evaluate its activities more completely.”
Additionally, GAO made 29 recommendations for DHS to enhance NCPS capabilities in fiscal year 2016. The GAO report found that “DHS had not demonstrated that it had fully implemented most of the recommendations” at the time of the review.