Secret Service Withheld Monitoring Data from DHSAgency Agrees to Furnish DHS with IT Security Information
The U.S. Secret Service last year refused to provide the Department of Homeland Security's chief information security officer with information about vulnerabilities culled from the continuous monitoring of the protective service's IT systems as required by the Federal Information Security Management Act.
An audit by DHS's Office of Inspector General also showed that several DHS agencies operated systems with classified data without proper authorization; the Heartbleed bug vulnerabilities existed in several systems; and two agencies continue to use the now-unsupported Microsoft Windows XT operating system.
Citing concerns for operational security, the Secret Service declined to furnish the required continuous monitoring data feeds of its unclassified systems to the department during fiscal year 2014, which ended Sept. 30, DHS Inspector General John Roth wrote in an Oct. 29 memorandum to Secret Service Acting Director Joseph Clancy.
Clancy took over as head of the Secret Service, a DHS unit, following the Oct. 1 resignation of Director Julia Pierson, who was forced out following intense criticisms of security lapses at the agency, including an intruder gaining access to the White House.
DHS IT Systems Placed at Risk
"Your agency's action puts at risk its own information systems and those of the department as a whole," Roth wrote to Clancy. "I recognize the vital investigative and protective missions performed by Secret Service. However, I am deeply concerned that your agency's unwillingness to provide the required continuous monitoring data feeds prevents the department from overseeing and managing an effective security program."
In addition, Roth pointed out that the failure of sharing the continuous monitoring information meant that Clancy, as acting director, received no independent assurances that Secret Service IT systems were being managed correctly and were compliant with federal cybersecurity requirements.
After Roth sent the letter, IT and IT security specialists from the Secret Service and Homeland Security met to identify specific requirements for reporting and reached an agreement on Nov. 7, detailing how the Secret Service would share the data collected from continuous monitoring. In a letter to Roth dated Nov. 7, Clancy explained that the Secret Service had concerns with DHS's method for providing the results, concerns that have since been resolved. He didn't detail what were those concerns.
Number of Operational Systems Without Valid Authorizations to Operate
SOURCE: DHS Office of Inspector General
The letters appear as appendixes to DHS's annual audit required by FISMA, the law that governs federal government IT security. The audit also revealed that some DHS agencies continue to operate their IT systems, including some that contain secret and top secret information, without the proper authority. One example the IG cited was the Federal Emergency Management Agency, which had five top-secret systems operating without proper authority, some since August 2013.
FEMA also could not provide the annual assessment results for two of its top-secret systems, the IG reported. FISMA and DHS require controls be tested annually. "When controls are not tested," Roth said, "FEMA cannot ensure whether implemented controls are operating as designed on its top-secret systems."
Unsupported Windows XP Still in Use
The IG also said that FEMA and the U.S. Citizenship and Immigration Service still use the Microsoft Windows XP operating system, which might be vulnerable to potential exploits since Microsoft last April stopped providing software updates to mitigate security vulnerabilities.
As part of the FISMA audit, IG examiners on July 23 discovered that two Citizenship and Immigration Service servers contained software vulnerable to Heartbleed, despite a DHS directive requiring agencies to mitigate by July 7 the security bug that exploits the OpenSSL protocol. "While USCIS notified us that it had removed the vulnerable software subsequent to our testing," Roth said, "the delay in mitigating the high-risk vulnerability may have exposed sensitive DHS data to potential exploits."
The IG made six recommendations to DHS, which concurred with all of them. Among the recommendations are for agencies to declare and report material weaknesses in their IT systems, expand DHS's continuous monitoring strategy to include secret and top secret systems and strengthen the process to ensure that all DHS systems receive the proper authority to operate in accordance with Office of Management and Budget and National Institute of Standards and Technology security authorization guidance.