Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 2 of 36
Highlights of GAO-05-700, a report to the
Ranking Minority Member, Committee on
Homeland Security and Governmental
Affairs, U.S. Senate
Why GAO Did This Study
The Homeland Security Act of 2002
mandated the merging of 22 federal
agencies and organizations to
create the Department of
Homeland Security (DHS), whose
mission, in part, is to protect our
homeland from threats and attacks.
DHS relies on a variety of
computerized information systems
to support its operations. GAO was
asked to review DHS's information
security program. In response,
GAO determined whether DHS had
developed, documented, and
implemented a comprehensive,
To assist DHS in fully
implementing its program, GAO is
making recommendations to the
Secretary of DHS to implement key
information security practices and
controls and to establish
milestones for verifying the
department's reported performance
data. In providing written
comments on a draft of this report,
DHS generally agreed with the
contents of the report and
described actions recently
completed, ongoing, or planned to
implement its program.
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Gregory
Wilshusen at 202-512-6244 or
Department of Homeland Security Needs
to Fully Implement Its Security Program
What GAO Found
DHS has not fully implemented a comprehensive, departmentwide
information security program to protect the information and information
systems that support its operations and assets. It has developed and
documented departmental policies and procedures that could provide a
framework for implementing such a program; however, certain
departmental components have not yet fully implemented key information
security practices and controls. For example, risk assessments-needed to
determine what controls are necessary and what level of resources should
be expended on them-were incomplete. Elements required for information
system security plans-which would provide a full understanding of existing
and planned information security requirements-were missing. Testing and
evaluation of security controls-which are needed to determine the
effectiveness of information security policies and procedures-were
incomplete or not performed. Elements required for remedial action plans-
which would identify the resources needed to correct or mitigate known
information security weaknesses-were missing, as were elements required
for continuity of operations plans to restore critical systems in case of
unexpected events. The table below indicates with an "X" where GAO found
weaknesses. In addition, DHS had not yet fully developed a complete and
accurate systems inventory.
Weaknesses in Information Security Practices and Controls of Selected DHS Components
Security Remedial Continuity
DHS Risk Security test and action of
component assessment plan evaluation plans operations
US-VISIT n/a Xa n/a n/a n/a
ICE X X X
TSA X X X
ICE X X X
TSA X X X X
EP&R X X X X
Sources: GAO analysis of DHS information for United States Visitor and Immigrant Status Indicator Technology (US-VISIT),
Immigration and Customs Enforcement (ICE), Transportation Security Administration (TSA), and Emergency Preparedness and
"For US-VISIT, GAO reviewed only the security plan.
Shortfalls in executing responsibilities for ensuring compliance with the
information security program allowed these weaknesses to occur. Although
DHS has an organization that is responsible for overseeing the component
implementation of key information security practices and controls, its
primary means for doing so-an enterprisewide tool-has not been reliable.
Until DHS addresses weaknesses with using the tool and implements a
comprehensive, departmentwide information security program, its ability to
protect its information and information systems will be limited.
United States Government Accountability Office
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/2/: accessed April 20, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.