GAO: DHS unprepared for cyber attacks
The Government Accountability Office (GAO) recently released an audit report that assesses the Department of Homeland Security’s (DHS) and the General Services Administration’s (GSA) vulnerability to cyber attacks. The report, GAO-15-6, examines the extent to which DHS and other federal facilities are prepared to address cyber risk to building and access control systems. While conducting their study, GAO reviewed stakeholders’ authorities to protect federal facilities, visited select facilities to ascertain what was being done to address cyber risks, and interviewed experts about cyber vulnerabilities of building and access control systems.
GAO determined that while DHS has begun to address the cyber risks, much work remains to be done. For instance, GAO found that DHS lacks a policy that defines the problem, identifies roles and responsibilities, analyzes the resources needed, and identifies a method for assessing the cyber risk. DHS’s lack of cyber strategy for facility security is in part because this is an emerging issue, but demonstrates a lack of prioritization on the part of DHS. The report also states that the Interagency Security Committee (ISC) has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report, which an ISC official credited to a shift in focus to active shooter and workplace violence incidents. GAO also found the GSA has not fully assessed the cyber risks to federal facilities.
GAO recommends that DHS develop and implement a strategy to address cyber risk to building and access control systems. GAO also recommends that the ISC revise its Design-Basis Threat report to include cyber threats to building and access control systems, and that GSA assess cyber risk of its building control systems.
For more information about GAO-15-6, please follow the links below.
GAO-15-6, Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems
DHS Leaves Federal Facilities Open To Cyber Attacks, Homeland Security Today