Skip to content

Search the site

0 of 7 Homeland Security programs had run cybersecurity risk assessments

DHS CIO office had given waivers... "a priority to improve compliance in future"

The US Department of Homeland Security (DHS) plans to spend more than $4 billion on major acquisition programmes ($300 million+) in 2023. But programme owners are ignoring requirements to conduct a cybersecurity risk recommendation memorandum (CRRM), with zero of seven programmes compliant.

That’s according to the US Government Accountability Office (GAO) which found that DHS Chief Information Officer (CIO)’s office and risk management officials were waving through the programmes without a CRRM because “in part, they do not want to delay any program’s progress through the acquisition life cycle…”

The programmes in question include next-generation networks, airport checkpoints, to new inland buoys.

(The latter include technologies for maritime navigation on inland waterways – perhaps ironically, what looks superficially like the least like project to need a detailed cybersecurity risk assessment has, GAO said, scheduled a tabletop exercise “that will review the chosen vendor’s design for vulnerabilities.”)

The situation is a stark reminder of the pressure cybersecurity leaders face to balance business and security needs and the risk of being seen as a blocker to what are already complex and often slow procurement processes that officials are keen to see friction stripped out: “These officials recognize that the memorandums are not being completed and said it is a priority to improve compliance in the future” GAO said on April 25.

According to DHS officials, CRRMs are intended to “serve as a mechanism to encourage collaboration in addressing cybersecurity planning and testing across the acquisition life cycle, and to document agreement between the program, component, and the department” – if it actually wants to get this right, the Secretary of Homeland Security should ensure that the department updates its instruction (102-01-012) and “clarifies (1) which major acquisition programs are required to have completed cybersecurity risk recommendation memorandums prior to acquisition decision events, and (2) when exemptions apply,” GAO said tartly.

See also: There’s a howling gap in offshore oil and gas cybersecurity oversight