Connect with us

Hi, what are you looking for?

Cyber Security

DHS Procurement Cyber Reporting Requirement Needs Clarifying, Watchdog Finds

The Government Accountability Office noted that several major acquisition programs at DHS didn’t think the requirement applied to them.

The Department of Homeland Security needs to clarify its cybersecurity reporting policy for its major acquisition programs, particularly as the agency will spend more than $4 billion this fiscal year on its major acquisition programs, according to a watchdog report from late last week. 

The Government Accountability Office reviewed 25 of DHS’s major acquisition programs—used to buy products and services to help secure the border, screen travelers and improve disaster responses—and found 18 of the programs met their cost and schedule goals for fiscal year 2022. Additionally, five programs asked for COVID-19 baseline adjustments.

Meanwhile, according to the report, major DHS programs must identify their cybersecurity risks in a memo as they consider cybersecurity throughout the procurement lifecycle. Major acquisition programs are supposed to present a cybersecurity risk recommendation memorandum at acquisition decision events to identify the cybersecurity status and their risk recommendation—high, medium or low. However, GAO noted that, since the requirement was implemented over two years ago, none of the programs that had relevant acquisition events complied with this requirement “because they didn’t think this requirement applied to them.” 

Out of the seven examined programs that had relevant acquisition events, one program gave documentation showing DHS waived this requirement. Meanwhile, the six remaining programs either used other documentation, said that the memo was not applicable to the program or that they did not create one. 

GAO noted that the memo requirement does not clarify when this requirement can be waived, is not applicable or when or what other documentation could be used instead. Therefore, programs can be unprepared to provide this information when they are required. 

As a result, the watchdog urged DHS to clarify this mandate. According to GAO, the lack of clarification and confusion could hinder DHS’s cybersecurity risk assessment and mitigation efforts.

DHS concurred with the recommendation and noted the agency planned to implement the recommendation by March 30, 2024. 

The GAO report was originally released in March 2023, but the public version issued last week omits information DHS deemed sensitive. In the sensitive version of the report, GAO made an additional recommendation.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.nextgov.com/cybersecurity/2023/04/dhss-procurement-cyber-reporting-requirement-needs-clarifying-watchdog-finds/385541/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Despite recent improvements, a watchdog report claims the agency still has more it can do to make threat-sharing policies more effective. Though the Federal...

Cyber Security

This isn’t the first DHS agency to come under fire for its access control deficiencies. U.S. Immigration and Customs Enforcement isn’t consistently implementing controls...

Cyber Security

Rep. Vicente Gonzalez, D-Texas, said his proposal “sets a plan to prevent cyber incidents by reducing the risk of future cyber vulnerabilities” in key...

Cyber Security

A new report analyzes the federal government’s approach to infrastructure cybersecurity as a key strategy document is getting a rewrite. Despite the Biden administration’s outspoken...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO