Department of Homeland Security officials are operating hundreds of digital systems — including many containing “sensitive but unclassified” and “secret” information and data — without proper authorization and possibly outside of the government’s capital budget and accounting rules.
Agencies are required to have what are known as “Authorization to Operate” letters from senior DHS officials in order to maintain and use digital information systems for processing government information and data.
But the DHS inspector general found that “the number of ‘SBU’ and ‘Secret’ systems without valid ATOs has increased significantly over the past three years. For example, the number of ‘Secret’ systems without a valid ATO increased from six in fiscal year 2012 to 32 in FY 2014. In addition, the number of ‘SBU’ systems increased from 70 in FY 2012 to 159 in FY 2014.”
Not having the ATO is a serious problem because it makes it extremely difficult for outsiders to verify whether the unauthorized system satisfies government security standards or meets Office of Management and Budget system replacement regulations.
The lack of an ATO also makes it harder for DHS managers to track and report accurately to Congress on the department’s capital budget status.
That means agencies within the department like the U.S. Secret Service, Immigration and Customs Enforcement or Transportation Security Administration could be operating information systems independently of DHS senior executives.
The missing ATOs were but one element in a lengthy DHS IG report describing a homeland security department that is rife with outdated and insecure information systems.
At the Federal Emergency Management Agency and Citizenship and Immigration Service, for example, officials are still using the Windows XP operating system that first appeared in 2001. That system is so old that it “may be vulnerable to potential exploits as Microsoft stopped providing software updates to mitigate security vulnerabilities in April 2014,” the report said.
More than 3,300 CIS workstations are using Windows XP, but DHS managers told the IG those workstations would all be converted to Windows 7 configurations by the end of the year.
Also, DHS information systems inventory controls are so bad that a “FEMA ‘Top Secret’ system, which was decommissioned in 2012, was still reported as operational in DHS’ enterprise management tools in August 2014.”
The IG said Windows 7 workstations already functioning in DHS lacked security patches for Internet Explorer and Firefox browsers, major media players like Shockwave and Microsoft Office Products. Some of the missing patches dated to October 2011.
Some of the missing critical security patches identified as missing on Windows XP workstations dated back to November 2009.
Go here for the full 62-page DHS IG report.
Mark Tapscott is executive editor of the Washington Examiner.
