DHS watchdog rebukes CISA and law enforcement training center for failing to protect data
The Department of Homeland Security’s (DHS) inspector general released a blistering report Wednesday, slamming the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Law Enforcement Training Centers (FLETC) for failing to protect sensitive data by flouting a direct order from DHS leadership to stop working with a “high risk” contractor.
The inspector general’s office said it found “urgent cybersecurity issues” during an audit of both organizations, determining that both failed to safeguard sensitive information by not only continuing to use the contractor, but also failing to “mitigate risks” posed by their ongoing use of its software.
The report did not identify the contractor by name, but said a DHS internal investigation found it used “poor cybersecurity practices.”
“By not taking action to mitigate the control deficiencies, CISA and FLETC may be putting sensitive personally identifiable information (PII) and sensitive law enforcement training information stored and processed by CISA and FLETC’s learning management systems at risk of compromise,” the report said.
It said the organizations’ continued work with the vendor “created a significant risk to the operations, assets, and individuals” at both CISA and FLETC.
A CISA spokesperson said via email that the agency “is fully committed to protecting personally identifiable information and has taken steps to address the concern raised by the OIG until a replacement learning platform can be deployed.” FLETC did not respond to a request for comment.
The contractor’s software used by FLETC gathers, stores and “disseminates” the names, Social Security numbers, dates of birth, genders, ranks, and titles of 37,951 DHS and federal law enforcement officers as well as training materials for how to disarm active shooters and counter seaport terrorism, among other things, the report said.
CISA’s learning management system, which also relies on the contractor’s software, is
available to all federal military, state, local, tribal, and territorial governments as well as veterans. It gathers names and email addresses from approximately 500,000 users nationwide and also contains sensitive training courses.
DHS and the Office of Personnel Management agreed to buy learning management software from the contractor in August 2022, but cut ties in June 2023 after discovering significant security weaknesses in the aftermath of several hard drive failures in late May.
The May incident caused DHS data to be lost and spurred a 6-day service outage, the report said, leading the agency to discover the contractor:
- Did not actively monitor its data center or “hardware health alerts”
- Deployed hardware at the “end of its useful life”
- Failed to take data store “snapshots” for months before the hard drive failure
- Did not meet log-retention and audit logging rules
- Did not obtain authorization, yet shared federal data with a third-party recovery service
In July 2023 DHS’s chief information security officer ordered the agency’s components, including CISA and FLETC, to stop using the contractor’s learning management software “because it could not rule out the possibility of a malicious insider or cyberattack.”
CISA’s chief information officer (CIO) initially cut ties with the contractor, the report says, only to reauthorize use of its software three days later. That decision was made even though agency officials identified the overall risk to CISA’s operations as “high due to anomalies found during DHS’ investigation,” the report said.
The CIO recommended “accepting the risk” because not having the learning management software would be an inconvenience to its many users, the report said.
CISA has not created a new system or “taken any steps” to ensure the high-risk contractor “complies with DHS and CISA standards,” as of this month, the report said.
FLETC also kept using the contractor’s product after the DHS order to trash it and even signed a $1.8 million year-long extension of its agreement with the company one month after DHS ordered the organization to immediately stop working with the company, the report said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.