OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
systems classified as “Secret” and “Top Secret,” and systems operated by
contractors on behalf of DHS. As part of the Department’s continuous
monitoring strategy, DHS CISO maintains awareness of the Department’s
information security program through: (1) Continuous Diagnostics and
Mitigation, (2) Ongoing Authorization Program, and the (3) Network Operations
Security Center.
9
Foremost to all DHS components is adhering to the IT security requirements
set forth in the Department’s security authorization process,
10
which involves
comprehensive testing and evaluation of security features of all information
systems before becoming operational
11
within the Department. This evaluation
process results in an Authority to Operate (ATO) decision, whereby a senior
official authorizes the operation of an information system based on an agreed-
upon set of security controls. Per DHS guidelines,
12
each component CISO is
required to assess the effectiveness of controls implemented before authorizing
the systems to operate, and periodically thereafter. According to applicable
DHS,
13
Office of Management and Budget (OMB),
14
and National Institute of
Standards and Technology (NIST)
15
policies, all systems must undergo the
authorization process before they become operational. The DHS CISO relies on
two enterprise management systems to keep track of security authorization
status and administer the information security program. Enterprise
management systems also provide a means to monitor plans of action and
milestones for remediating information security weaknesses related to
unclassified and Secret-level systems.
FISMA Reporting Instructions
FISMA requires each agency Inspector General (IG) to perform an annual
independent evaluation to determine the effectiveness of the agency’s
information security program and practices. The FY 2022 Core Inspector
General Metrics Implementation Analysis and Guidelines
16
(Fiscal Year 2022
9
DHS Information Security Continuous Monitoring Strategy, Version 5.0, May 20, 2022.
10
NIST defines a security authorization as a management decision by a senior organizational
official authorizing operation of an information system and explicitly accepting the risk to
agency operations and assets, individuals, other organizations, and the Nation based on
implementation of an agreed-upon set of security controls.
11
According to DHS policy, an information system must be granted an Authority to Operate.
12
DHS System Security Authorization Process Guide, Version 14.1, April 4, 2019.
13
DHS System Security Authorization Process Guide, Version 14.1, April 4, 2019.
14
OMB Circular A-130, Managing Information as a Strategic Resource, July 2016.
15
NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for
Information Systems and Organizations, September 2020.
16
The FY 2022 Core Inspector General Metrics Implementation Analysis and Guidelines was
based on coordinated discussions between representatives from OMB, the Council of the
Inspectors General on Integrity and Efficiency, Federal Civilian Executive Branch CISOs and
their staff, and the Intelligence Community.
www.oig.dhs.gov 2 OIG-23-21