The Department of Homeland Security is tasked with shielding the US government from sophisticated cyber attacks, but the agency is again getting lackluster marks for its own security defenses. A recent report from the DHS inspector general yet again highlighted the agency's tardiness in updating its systems to account for known cyber threats. "Plans of action and milestones are not being created for all known information security weaknesses or mitigated in a timely manner," the report says. The inspector also raised concerns over delays in establishing surefire verification methods that ensure sensitive data is only available to privileged users.
As reported by Politico, the IG also points out that computers at DHS headquarters are still running Windows XP; Microsoft plans to stop providing security updates for the aging OS next year. The TSA and even the Office of Inspector General itself are also still relying on XP. "Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning," says the OIG. But the report isn't entirely negative. Overall, the inspector general says "DHS continues to improve and strengthen its information security program." As evidence of this progress, the report cites effective changes to methodology and a Fiscal Year 2013 Information Security Performance Plan document that "defines the performance requirements, priorities, and overall goals for the Department throughout the year."
As for the OIG's complaints, the Department acknowledges that it has plenty of work to do, but that's not satisfactory to some on Capitol Hill. Republican Tom Coburn says that "gaps" in DHS protections "would be obvious to a 13-year-old with a laptop." Coburn went on to say that DHS systems "don’t keep track of weaknesses when they're found and they don't fix them in time to make a difference."