Biennial Report on DHS’ Implementation of the Cybersecurity Act of 2015

We determined that the Department has addressed the requirements of the Cybersecurity Act of 2015. However, the Department faces challenges effectively sharing cyber threat information across Federal and private sector entities. For example, the system DHS uses does not provide the contextual data needed to effectively defend against threats. DHS lacks a cross-domain information processing solution and automated tools to analyze and share threat information timely. DHS needs to enhance its outreach program to increase participation and improve coordination of information sharing across its partners. Further, our security testing identified configuration and patch management deficiencies related to the systems DHS uses to process and share threat information. We made five recommendations to the National Protection Programs Directorate (NPPD) to enhance the overall effectiveness of DHS’ information sharing program, including acquiring technologies needed for cross-domain sharing and automated analysis of cyber threat data, enhancing outreach to promote sharing, and implementing required security controls on selected information systems. The component concurred with all five recommendations.