A Government Accountability Office (GAO) report found that the Federal Aviation Administration (FAA), Indian Health Service, and Small Business Administration (SBA) are using security tools given to them by the Department of Homeland Security (DHS) as they’re intended: to identify hardware and software on their networks that may have vulnerabilities and insecure configurations. But GAO said the agencies have more to do manage their network in order to optimize the value of the tools.
The tools provided by DHS provide cybersecurity data to support the agency’s Continuous Diagnostics and Mitigation (CDM) program by collecting information which is then aggregated and compared to expected outcomes, for example, if device configuration settings meet Federal benchmarks. The data collected by the tools is collected, integrated, and displayed on individual agency dashboards, and a Federal dashboard managed by DHS.
GAO said the CDM program has improved network awareness at FAA, Indian Health Service, and SBA, but the government watchdog pointed out that none of the three agencies had effectively implemented all key CDM program requirements. In particular, GAO said, the three agencies had not fully implemented hardware management requirements, which in turn didn’t allow CDM tools to provide an accurate count of the hardware on their networks.
“The agencies identified various challenges to implementing the program, including overcoming resource limitations and not being able to resolve problems directly with contractors,” the report said. “DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance.”
GAO made six recommendations to DHS with which the agency concurred, including “to ensure that contractors provide unique hardware identifiers.” It made nine recommendations to FAA, SBA, and the Indian Health Service – to which each of the agencies concurred – including recommendations to compare configurations to benchmarks.