There are still a number of security controls lacking in a system the Transportation Security Administration (TSA) uses to centrally monitor its screening equipment located at airports round the country, according to a new report by the Department of Homeland Security (DHS) Inspector General’s (IG) office.
These deficiencies in the Security Technology Integrated Program (STIP) include “unpatched software updates and inadequate contractor oversight,” says the audit report, IT Management Challenges Continue in TSA’s Security Technology Integrated Program (Redacted) [OIG-16-87].
General Dynamics [GD] is TSA’s contractor for STIP.
The IG blames the inadequate security controls on TSA’s failure to follow DHS guidelines for managing sensitive IT systems and for not designating the assets of the program as IT equipment, which means “TSA did not ensure that IT security requirements were included in STIP procurement contracts.”
The IG says that in August 2015 security concerns due to unsupported operating systems led TSA to disconnect STIP equipment from the network. It adds that as of December 2015 the equipment was still disconnected.
TSA is taking steps to eliminate the STIP deficiencies, the IG says, including adding cyber security requirements to the equipment procurement process and not allowing system owners to prevent software patches to be provided despite concerns about system performance.