Reports Slam DHS on Data Security, Contract Oversight

Computerworld - Two newly released government reports criticize the U.S. Department of Homeland Security for data security and IT contract management shortcomings within the agency's program for controlling and monitoring the entry and visa status of foreign visitors.

The contract management report was publicly released by the Government Accountability Office last Monday, and a partially censored version of the security-related report was made available July 7 by the inspector general's office within the DHS.

The GAO said DHS officials responsible for the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program didn't establish effective financial controls for overseeing work performed on its behalf by other agencies. That includes U.S. Customs and Border Protection, which manages a system that maintains watch-list data and captures passenger arrival and departure information provided by air and sea carriers.

As a result of the oversight problems, the US-VISIT program office didn't understand exactly how much was being spent on contracts or whether the work was being done on time and within budgets, the GAO claimed in the report. It added that the DHS and the other agencies made duplicate payments on invoices and used funds designated for US-VISIT to pay for services that weren't related to the program.

The GAO recommended that DHS Secretary Michael Chertoff direct the US-VISIT program office to take steps designed to strengthen its contract management capabilities.

Room for Improvement

In a written response to the GAO, a DHS official said that although the agency disputes some of the findings in the report, it agrees with the recommendations and recognizes the need for improvement.

The other report, issued by Richard Skinner, inspector general at the DHS, said the agency hasn't properly configured a database in which personal information captured by radio frequency identification (RFID) devices is stored. The security gaps could be exploited to gain unauthorized or undetected access to sensitive data, according to the report.

In a written response, James Williams, director of the US-VISIT program, said steps have already been taken to strengthen account management procedures for the database. However, he disagreed with a recommendation that RFID-specific policies be set. Existing policies cover the security of data, whether it is collected via RFID or other technologies, he said.