DHS has some house keeping to do

The office of the Inspector General of the Department of Homeland Security has issued a 41 page report on how the department is progressing on security. Summary findings:

Systems are being accredited without key documents or missing key information.

Plans of Action and Milestones are not being created for all information security weaknesses.

Plans of Action and Milestones are not being monitored and resolved in a timely manner.

Baseline security configurations are not being implemented for all systems.

This report is part of an ongoing requirement of every branch of government to report on the progress they are making in complying with NIST and other security standards. While it helps to expose a lot of areas as slow to respond and lacking in basic reporting and response capabilities I am afraid that is is glossing over some blatant holes in DHS security.

High level reports like this are not going to dig down to the level that I am more experienced with; ports, vulnerabilities, infections etc. But incidents like the recent dual theft of laptops from TSA (no secure cleanup, no encryption) lead one to believe that a look at actual audits would have a typical security practitioner weeping.

While the issue of accrediting networks as passing without maintaining the proper paper work is one that government oversight bodies can sink their teeth in to I feel that getting deep into configs, rules, and defenses is needed to truly understand the sad state of affairs at DHS.