While the Department of Homeland Security has made gains in strengthening its internal cybersecurity and technology best practices, it continues to suffer from serious vulnerabilities, according to a new report from the DHS inspector general. DHS cyber security policies continue to fail far below acceptable standards, even as the agency acts as the government lead.

Among the dirty laundry list of security problems are are inadequate authentication, failure to properly track its information systems, and using outdated software.

“We identified a number of issues that DHS needs to address to strengthen its security posture,” the report stated. “For example, we determined that components are not satisfying all of the Department’s information security policies, procedures, and practices.”

In particular, DHS came up short on its plan of action and milestones (POA&M) management, system security authorization and consolidation of external network connections, the report said. Plus, components have not been implemented for all system configurations in accordance with DHS policies and procedures.

Also, for a least a year the DHS has not had a management program for tracking security vulnerabilities in classified systems.

“DHS does not monitor the adequacy of the POA&Ms for its ‘Top Secret’ systems,” the report noted. “As a result, DHS cannot ensure that POA&Ms have been created to mitigate the security vulnerabilities identified on its ‘Top Secret’ systems and ensure they are managed in accordance with DHS’ policies and procedures.”

This isn’t the first time DHS has been criticized for failing to meet minimum security standards. The agency, which is responsible for a large portion of the federal government’s security programs, has been previously criticized by members of Congress and the IG for failing on standard requirements like patching, authentication standards and control of external systems.

The latest report drew the ire of Senator Tom Coburn (R-Okla.), ranking member of the Senate Homeland Security and Governmental Affairs Committee, who chastised the DHS in a statement.

“This report shows major gaps in DHS’s own cybersecurity, including some of the most basic protections that would be obvious to any 13-year-old with a laptop,” said Coburn. “DHS doesn’t use strong authentication. It relies on antiquated software that’s full of holes. Its components don’t report security incidents when they should. They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference.”

Coburn added DHS and other agencies should at least exercise the same cybersecurity practices the private sector uses to protect the nation’s critical infrastructure from cyber attacks.

Related News

Chandler Harris is a freelance business and technology writer located in Silicon Valley. He has written for numerous publications including Entrepreneur, InformationWeek, San Jose Magazine, Government Technology, Public CIO, AllBusiness.com, U.S. Banker, Digital Communities Magazine, Converge Magazine, Surfer's Journal, Adventure Sports Magazine, ClearanceJobs.com, and the San Jose Business Journal. Chandler is also engaged in helping companies further their content marketing needs through content strategy, optimization and creation, as well as blogging and social media platforms. When he's not writing, Chandler enjoys his beach haunt of Santa Cruz where he rides roller coasters with his son, surfs and bikes across mountain ranges.