The Department of Homeland Security (DHS) has fallen short in fulfilling its mission to lessen cybersecurity risks on federal and private-sector computer systems and networks, judged the Government Accountability Office (GAO) in a recent report.
In particular, DHS has failed to develop metrics to measure and report on the effectiveness of its cyber risk mitigation activities or the IT security posture of the eight critical infrastructure sectors for which it is the lead federal agency, the report found.
The department’s National Cybersecurity and Communications Integration Center has failed to develop metrics and methods to evaluate its performance against statute-defined implementing principles.
Also, DHS’s National Cybersecurity Protection System had only partially met its objectives of detecting and preventing intrusions, analyzing malicious content, and sharing threat information.
The department has not identified all of its cybersecurity position, has not assigned codes to filled and vacant positions, and has not determined critical skill requirements for those positions.
“Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department’s ability to improve and promote the cybersecurity of federal and private-sector networks will be limited,” the GAO concluded.