GAO Report: DHS Needs to Clarify Cybersecurity Policy for Tech Acquisition Programs

A new Government Accountability Office report has urged the Department of Homeland Security to clarify when its technology procurement programs should be required to identify their cybersecurity risks in a memo called the Cybersecurity Risk Recommendation Memorandum.

Issuing the memo aims to ensure that the acquisition life cycle integrates cybersecurity threat analysis and risk management. According to the report, GAO reviewed 25 programs and found that seven did not provide the memo, with their program managers saying that creating the document is not applicable to them, FedScoop reported.

The programs that underwent GAO scrutiny include those that procure systems for border security, marine safety, disaster response and other operations. The report said the DHS instruction about the CRRM issuance is unclear because it does not state when the requirement might be waived and is not applicable or if there are other documents that can be provided as an alternative to the memo. To resolve the issue, GAO recommended clarifying DHS cybersecurity policy and identifying which programs need to develop and sign out a CRRM.