DHS OIG – Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports, December 30, 2016. OIG-17-14.
“Our previous reports identified numerous deficiencies in security controls for TSA’s IT systems and equipment at airports. These deficiencies included inadequate physical security for TSA server rooms at airports, unpatched software, missing security documentation, and incomplete reporting of IT costs. TSA has undertaken various actions to address the recommendations we made in these reports. Based on our review of the corrective actions taken as of May 2016, we consider most of the recommendations resolved and closed. However, TSA has not yet resolved recommendations we made in two key areas. TSA officials indicate it will take time, money, and contract changes to include security requirements in the Security Technology Integrated Program, a data management system that connects airport screening equipment to servers. TSA also disagrees that closed-circuit televisions, including cameras, at airports constitute IT equipment and that TSA is responsible for maintaining them. Further, as a result of our analysis to compile this report, we are making two new recommendations to improve security controls for TSA’s IT systems at airports. Specifically, TSA needs to assess the risk of not having redundant data communications capability to sustain operations at airports in case of circuit outages. Additionally, while TSA has undertaken reviews of security controls for its IT systems at airports, it would benefit from establishing a plan to conduct the reviews on a recurring basis nationwide.”