U.S. Customs and Border Protection (CBP) has not always protected Mobile Passport Control (MPC) applications from cybersecurity threats, according to a report from the Department of Homeland Security’s Office of Inspector General (OIG).
The CBP is responsible for securing travelers’ data from cybersecurity threats, and its MPC applications contain travelers’ personally identifiable information used to expedite CBP’s inspection process. The OIG said it conducted its audit between March 2020 and April 2021 to determine to what extent CBP protects its MPC apps from cyber threats.
The audit found, however, that CBP did not scan 91 percent of its MPC apps version updates to detect vulnerabilities – mainly because the agency relies on updates from app developers but was not always notified when updates were issued.
The audit also found that because the CBP was not required to review all the scan results, it failed to identify vulnerabilities that were detected in scan results. The CBP also was unable to establish a schedule for reviews or track and centrally store review documentation and therefore did not complete seven security and privacy compliance reviews, as required by the MPC Privacy Impact Assessment.
Additionally, the audit found that CBP did not obtain the necessary information for MPC application reviews, had competing priorities, and did not ensure app developers created an essential process CBP needed to perform a mandatory internal audit.
And lastly, CBP did not implement specific hardware and software configuration settings on MPC servers to protect them from vulnerabilities, although the Department of Homeland Security requires it.
“Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ personally identifiable information at risk of exploitation,” the report states.
The OIG made eight recommendations, all of which CGP agreed to:
- Scans all app update versions before developers release.
- Organize processes around scanning, define roles and responsibilities to ensure scans happen, and provide that all scans are reviewed for vulnerabilities.
- Define processes to conduct required security and privacy compliance reviews on a specific timeline, track completed reviews, and centrally store review documentation.
- Ensure that developers share all the information needed to perform the Requirements Traceability Matrix questionnaire, a security compliance review.
- Create a way to review access logs, define the periodic review time frame, and complete the required reviews during a specified time frame.
- Complete required privacy evaluation reviews.
- Update policy to include a process for conducting and completing internal audits.
- Fully implement DISA STIGs, request waivers to be exempt from some of the requirements, or fully document any exceptions made to deviate from the conditions.