The IG said that there were significant flaws in access controls for the sensitive database, called the protected critical infrastructure information (PCII) system, which contains security reviews of US critical infrastructure.
The report singled out two systems that are used to access the PCII data: the Automated Critical Asset Management System (ACAMS) and the Linking Encrypted Network System (LENS).
The ACAMS has configuration and access control deficiencies that could put PCII data at risk of unauthorized access, disclosure, and misuse. The report found that 83% of ACAMS users had not logged into their accounts for more than 45 days, and that 72% of users had never logged onto the system, even though DHS requires accounts to be deactivated after 45 days of inactivity.
Similar problems were found on LENS’s Infrastructure Information Collection System (IICS): 20% of IICS users had never logged into the system and unused database administrator accounts were not being disabled within the required timeframe of 45 days.
"Configuration and account access vulnerabilities identified on the LENS and ACAMS systems must be mitigated to manage and secure the systems and PCII data from the risks associated with internal and external threats, unauthorized access and misuse," the report warned.
To address these problems, the IG recommended that DHS’s National Protection and Programs Directorate (NPPD) develop a system to track personnel and contractors who have access to LENS and ACAMS PCII data and periodically review whether they still need access.
The NPPD concurred with the recommendation, and noted that its PCII manage system (PCIIMS) provides a web-based authorized user registration and training delivery system, “which enables robust training and management of authorized users”.
The IG responded that the NPPD did not commit itself to periodically review whether individuals still need access to PCII. “This recommendation will remain open until the Office of [Infrastructure Protection] provides documentation to support that corrective actions are being taken to address this recommendation and that a review process will be implemented”, the report concluded.