Cybersecurity Agency Broke Its Own Rules

Clear Facts

• The Department of Homeland Security’s Inspector General found that the Cybersecurity and Infrastructure Security Agency (CISA) did not adhere to its own guidelines for securing a critical High Value Asset (HVA) system.
• CISA faced criticism for not removing inactive user accounts and failing to ensure that all users completed mandatory cybersecurity awareness training.
• CISA has committed to addressing these security issues and plans to review its HVA assessment process by June 2025.

The Department of Homeland Security’s chief watchdog has spotlighted a significant oversight by the Cybersecurity and Infrastructure Security Agency (CISA). This federal body, already under fire for its previous censorship efforts, failed to secure a critical system containing sensitive data, according to a recent report.

The Inspector General’s office concluded that CISA “did not implement effective controls for the selected High Value Asset (HVA) system per Federal and departmental requirements.” This revelation is particularly concerning given CISA’s own guidance, which emphasizes the importance of protecting such systems and conducting thorough security reviews.

Oversight Committee Chairman James Comer expressed his dissatisfaction with the current administration’s handling of cybersecurity. He criticized the administration for its vulnerabilities in cybersecurity, highlighting that even cyber-related federal agencies are susceptible to being hacked.

The HVA system is described by CISA as “so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.”

Despite efforts to mitigate risks, the DHS OIG found “security deficiencies” in areas such as “access controls” and “awareness and training.” In particular, inactive user accounts were not consistently disabled or removed, as mandated by CISA’s internal policies.

Out of 2,776 users analyzed, 40% had not accessed the system for extended periods. This oversight increased the risk of unauthorized access. Additionally, the report highlighted that 15% of sampled users failed to complete mandatory cybersecurity awareness training.

The watchdog also noted that CISA did not follow its own recommendations during its review of the system, missing the access control deficiencies identified by the Inspector General. “CISA also did not always follow the best practices it included in its own security alerts to remove or disable inactive accounts,” the OIG concluded.

In response, CISA has pledged to rectify these shortcomings. The agency stated that its Cybersecurity Division will “conduct a comprehensive review of the HVA assessment process and determine appropriate action, as needed, to ensure alignment with broader CISA guidance to the Federal community.” This review is slated for completion by June 2025.

CISA, established in 2018, evolved from the National Protection and Programs Directorate to address increasing cybersecurity threats. However, its involvement in organizing the Election Integrity Partnership during the 2020 election has drawn criticism for outsourcing “misinformation” policing.

This partnership, which included entities like Stanford Internet Observatory and the University of Washington’s Center for an Informed Public, flagged over 4,800 URLs during the election. The Supreme Court, in a 6-3 decision, later dismissed a lawsuit challenging the government’s coordination with social media companies on content moderation.

Let us know what you think, please share your thoughts in the comments below.

Source