Homeland Security Department agencies don’t sustain their information security programs year-round or perform continuous monitoring to maintain systems’ accreditations and action plans, according to DHS Inspector General Richard Skinner.
The IG’s findings come from an annual independent evaluation of the department’s information security programs required by the Federal Information Security Management Act (FISMA). The law requires agency IGs to conduct the evaluations and agencies themselves to also conduct an annual information security evaluation.
Overall monthly FISMA information security scores for DHS agencies drop considerably after the annual deadline for FISMA reporting passes, the IG found. Overall scores for how well DHS agencies perform certification and accreditation and plans of action and milestones (POA&M) peak in months when the annual FISMA reporting is done and then quickly drop, the report said.
Meanwhile, Skinner also said DHS’ Privacy Office is experiencing delays in reviewing and approving privacy impact assessments (PIAs) that the office is required to perform for many DHS IT systems.