While the Department of Homeland Security has made progress in strengthening its cybersecurity and IT practices, there are still gaps that need to be closed, according to a report released Monday.
The DHS inspector general said the agency has revised its information security practices to focus more on risk management and continuous monitoring and is meeting most of the targets set by the Office of Management and Budget.
But DHS components are using information systems that have expired authority to operate, the IG said, and the agency has not established a formal process to track all of its information systems and keep track of of its data and systems. The agency also does not have a central repository for what data is being stored in the public cloud, so it cannot monitor all of it.
DHS should improve its processes for monitoring information systems and keeping them updated while making sure that all have authority to operate, according to the report.
Sen. Tom Coburn, R-Okla., said in a statement the report shows there are serious gaps in DHS cybersecurity practices and it relies on “antiquated software that’s full of holes.”
“They don’t keep track of weaknesses when they’re found, and they don’t fix them in time to make a difference,” he said.