DHS OIG Report: USCIS Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

DHS OIG, Sept. 7, 2022

"U.S. Citizenship and Immigration Services (USCIS) did not apply the information technology (IT) access controls needed to restrict unnecessary access to its systems, networks, and information. USCIS did not consistently manage or remove access for its personnel once they departed positions and did not have a process to adequately verify access after personnel transferred offices within USCIS. Also, USCIS did not take all necessary steps to ensure privileged user access was appropriate and did not adequately manage and monitor service account access. These deficiencies stemmed from insufficient internal controls and day-to-day oversight to ensure access controls are administered appropriately and effectively to prevent unauthorized access. Based on our testing, USCIS did not implement all the required security settings and updates for its IT systems and workstations to help reduce the impact if access control weaknesses are exploited. Although USCIS systems and workstations were generally compliant with required security standards, not all required settings and updates were implemented due to concerns that they may negatively impact system operations. Lastly, while USCIS appropriately relied on departmental guidance for access control policies and procedures, the guidance was outdated and did not include the latest Federal requirements. USCIS is taking steps to enhance its access control and system security processes to address these deficiencies. Until fully addressed, these deficiencies may limit the Department’s overall ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations. Additionally, inadequate security settings on IT equipment may limit USCIS’ capability to overcome a major cybersecurity incident." (Emphasis added.)