A new report from the Government Accountability Office (GAO) says that the Department of Homeland Security (DHS) needs to clarify some of its cybersecurity policies when it comes to the department’s acquisition programs.
The report published on April 20 looks at seven DHS programs, and finds that none of them had created a cybersecurity risk recommendation memorandum (CRRM) “ahead of acquisition decision events,” GAO said.
“The instruction requires that major acquisition programs consider cybersecurity throughout the acquisition life cycle. Specifically, major acquisition programs are required to present a CRRM at acquisition decision events to identify the programs’ cybersecurity status and their risk recommendation,” GAO said.
The importance of having the CRRMs as part of the programs is highlighted, GAO said, by DHS’ big spending on border security and other missions.
“[DHS] invests billions of dollars annually to acquire systems that help secure the border, advance marine safety, screen travelers, improve disaster response, and execute a wide variety of other operations,’ said the agency.
DHS responded to GAO that the agency either did not need such documentation, or that the agency had filed other documentation that waived the department’s need for a CRRM.
“As a result, DHS, in its oversight role, may not have information to effectively assess cybersecurity risk and ensure that risk mitigations are adequate,” said GAO.
The report concludes by recommending DHS clarify “which major acquisition programs are required to have completed cybersecurity risk recommendation memorandums prior to acquisition decision events, and when exemptions apply,” said the agency. DHS concurred with both recommendations.