The Department of Homeland Security's (DHS) Office of the Inspector General (IG) has called on the agency to prioritize the protection of its most important internal Information Technology (IT) critical infrastructures by establishing a new office for the task.
In December 2003, the White House issued Homeland Security Presidential Directive 7 (HSPD-7). The document created a national policy to identify critical infrastructures and key resources, and prioritize them based on risk. Along with traditional critical infrastructures, HSPD-7 required that government agencies conduct the same assessments, internally.
DHS Inspector General Richard L. Skinner reports that his agency has failed to follow the directive.
Although DHS established the National Center for Critical Information Processing and Storage (NCCIPS), which seeks to consolidate and store information necessary for the government continuity, the IG says DHS is not moving critical systems to the center based on risk, as it should, but by funding.
"The current DHS schedule for migrating systems to the NCCIPS is not based on system criticality, but instead is based on which component can fund the migration of a system," wrote Skinner. "As a result, DHS may not be providing a secure processing and backup facility for its most critical systems."
Further, DHS has not offered priority protection for assets designated "nationally critical," which "are considered necessary for the daily operation of the federal government."
Previously, DHS used a methodology known as "Project Matrix" to identify nationally critical cyber assets, but the agency's chief information security officer (CISO) terminated the support contract in 2005. Then, in 2007, the CISO removed the language describing its and the Office of the Chief Information Officer's responsibility in relation to HSPD-7 and Critical Infrastructure Protection from the agency's sensitive systems' handbook.
The CISO's office told the IG that it canceled the contract and eliminated the language because Project Matrix was not required by HSPD-7. The resulting vacuum was never filled, which is why the IG's report recommends DHS assign an office to identify and prioritize internal critical infrastructure assets.
"The absence of this assigned responsibility, " the IG writes, "hinders DHS' ability to ensure that its most critical assets are prioritized for protection."
Skinner also criticized DHS for not coordinating its prioritized protection responsibilities between its Office of Security and Chief Information Officer. The IG fears that without this coordination, plans for protecting critical agency IT infrastructures could remain incomplete. To avoid that, he recommended DHS coordinate its protection activities between the agency's line of business chiefs.
Elaine Duke, deputy under secretary for management at DHS, said her agency agreed with both recommendations.