OIG Finds Cyber Lapses at TSA, CBP, Agencies Addressing Concerns

A pair of reports uncovered cybersecurity concerns at two Department of Homeland Security (DHS) components.

The Office of Inspector General (OIG) reviewed whether U.S. Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) were implementing the proper controls to safeguard High Value Asset (HVA) systems. HVA systems include data and high-value information that if improperly accessed could cause “significant impact to national security interests, foreign relations, the economy, and public safety and security.”

The reports found that both agencies had deficiencies.

CBP Concerns

For CBP, the inspector general found that overall, the agency “implemented most security and privacy controls we tested for the HVA and had an effective patch management process to remediate vulnerabilities in the HVA database.”

However, the OIG found deficiencies in two of eight control families—Configuration Management and Supply Chain Risk Management (SCRM)

For configuration management, the report said CBP did not have waivers or risk acceptance letters for noncompliant configuration management settings. However, OIG determined the overall compliance rate was effective.

The report found CBP did not implement a system-level SCRM plan as recommended by the most recent National Institute of Standards and Technology (NIST) guidance and required by the Office of Management and Budget (OMB). The report blamed DHS for its “delayed development and publication of its department-level guidance instructing components to adopt the NIST controls, including system-level SCRM plans.”

Since the audit, CBP migrated the HVA system to a cloud-based environment as part of its modernization effort and retired the servers that had configuration management deficiencies. Therefore, OIG did not make recommendations.

TSA Issues

For TSA, the audit identified more concerns, including deficiencies in eight of ten HVA security areas:

• configuration management

• risk assessment

•supply chain risk management

• access control

• planning

• awareness and training

• assessment, authorization, and monitoring

• contingency planning

Only the “audit and accountability” and “incident response” security areas passed without concerns.

“Until these deficiencies are addressed, TSA is less equipped to protect the selected HVA system and cannot ensure it will be able to quickly detect, respond to, and recover from a cyberattack,” wrote OIG.

Some of the issues found include TSA not ensuring that all known software updates were promptly applies as required by DHS, not addressing vulnerabilities within compliance timeframes, and not maintaining a current list of the selected HVA system users and their authorized level of access. 

Since the review, TSA says it has taken steps to fix some of the concerns, including applying security patches to fix some of the vulnerabilities identified and strengthening policies and procedures on user management. It also concurred with the OIG’s 12 recommendations.

The OIG conducted the review as part of its Federal Information Security Modernization Act of 2014 (FISMA) oversight.