GAO finds DHS cybersecurity policy needs clarification, as CRRM requirement remains unclear

The U.S. Government Accountability Office (GAO) found that selected Department of Homeland Security (DHS) programs have not prepared cybersecurity memorandums ahead of acquisition decision events. Additionally, since the department’s acquisition cybersecurity instruction was issued, none of the seven programs that had subsequent acquisition decision events completed a cybersecurity risk recommendation memorandum (CRRM). 

“The instruction requires that major acquisition programs consider cybersecurity throughout the acquisition life cycle,” GAO said in its latest report. “Specifically, major acquisition programs are required to present a CRRM at acquisition decision events to identify the programs’ cybersecurity status and their risk recommendation (high, medium, low).” The CRRM is also used to identify the current cybersecurity status of an acquisition program. 

GAO recommends that the Secretary of Homeland Security should ensure that, as the department updates its Instruction ‘102-01-012,’ it must clarify which major acquisition programs are required to have completed CRRM before acquisition decision events and when exemptions apply.

GAO conducted a performance audit from January 2022 to March this year which was under the generally accepted government auditing standards. This was their eighth annual assessment of the DHS’ major acquisition programs. The government watchdog found that 18 of the 25 programs reviewed were meeting their cost and schedule goals by the end of FY 2022. “DHS also requires programs to identify their cybersecurity risks in a memo. However, none of the 7 programs we reviewed had done so because they didn’t think this requirement applied to them,” the report added.

DHS officials told GAO that a CRRM did not apply to them for various reasons, the report identified. In one instance, officials from the Transportation Security Administration’s Checkpoint Property Screening System program provided documentation that this requirement was waived by DHS. The other six programs reported that other documentation was used instead, a CRRM was not required or not applicable to their program, or that they simply did not develop one. 

“The instruction does not clarify when the CRRM requirement might be waived, is not applicable, or when other documentation may be used in its place,” the GAO reported. “Since the release of the instruction, DHS’s Office of Chief Information Officer and Office of Program Accountability and Risk Management officials told us that they are not currently holding programs accountable for submitting these memorandums at ADEs. Program Accountability and Risk Management officials explained that, in part, they do not want to delay any program’s progress through the acquisition life cycle. These officials recognize that the memorandums are not being completed and said it is a priority to improve compliance in the future.” 

Specifically, “officials said they intend to educate programs and components on the purpose of the memorandums and to clarify requirements in a fiscal year 2023 update to the instruction.” 

According to DHS officials, CRRMs are intended to serve as a mechanism to encourage collaboration in addressing cybersecurity planning and testing across the acquisition life cycle, and to document agreement between the program, component, and the department, GAO reported. “These memorandums would, according to Program Accountability and Risk Management officials, provide information to enhance their oversight in addressing cybersecurity risks consistently throughout the department.”

The report added that if DHS does not clarify when exemptions apply, programs may not prepare the risk memorandums when they are needed. “As a result, DHS, in its oversight role, may not have information to effectively assess cybersecurity risk and ensure that risk mitigations are adequate.”

As of the end of the fiscal year 2022, “the DHS major acquisition programs in our review with approved baselines were meeting their cost and schedule goals, though some had rebaselined or are in the process of rebaselining these goals,” GAO reported. “Programs continue to report effects from the COVID-19 pandemic; however, many have not needed to adjust their baselines.” 

DHS’s major acquisitions increasingly rely on software and IT systems, and cyberattacks could potentially result in mission failure, GAO said. “Ensuring that DHS’s major acquisitions are secure is critical to meeting the department’s diverse missions. A key cybersecurity activity has not yet been implemented, despite DHS issuing an acquisition cybersecurity instruction over 2 years ago. Updating that instruction to clarify when this key activity must be carried out would improve program accountability and DHS’s ability to effectively assess cybersecurity risk in its major acquisitions,” it added. 

In January, GAO proposed in a report that the federal government must develop and execute a comprehensive federal strategy for national cybersecurity and global cyberspace. Additionally, federal agencies must mitigate global supply chain risks, develop a government-wide reform plan that addresses the cybersecurity workforce shortage, and ensure the security of emerging technologies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.