Logo

Cybersecurity agency failed to follow its own policy securing a critical system: watchdog says

The Cybersecurity and Infrastructure Security Agency, known as CISA, has also faced scrutiny for its role forming a group accused of spurring social media censorship in the 2020 election.

By Steven Richards

Published: January 16, 2025 11:00pm

The lead federal cybersecurity agency previously scrutinized over censorship efforts failed to follow its own guidance to secure a critical system with sensitive data, the Department of Homeland Security’s chief watchdog found.

The Cybersecurity and Infrastructure Security Agency, known as CISA, has also faced scrutiny from Republicans for its role in organizing the Election Integrity Partnership—the private group that worked with social media companies to censor content during the 2020 election—effectively outsourcing “misinformation” policing, which critics said ran afoul of the First Amendment. 

“The Cybersecurity and Infrastructure Security Agency (CISA) did not implement effective controls for the selected High Value Asset (HVA) system per Federal and departmental requirements,” the Department of Homeland Security Inspector General’s office (DHS OIG) concluded. 

Guidance issued by CISA itself stresses the importance of protecting HVA systems and recommended federal agencies and other partners to conduct comprehensive security reviews to identify any risks.

"A complete failure"

“I mean, when you get even to the cyber related agencies in the federal government are susceptible to being…to being hacked and things like that, this Biden administration is a complete failure from top to bottom,” Oversight Committee Chairman James Comer told the "Just the News, No Noise" TV show. 

The HVA system, CISA says, is “so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.” 

But, the DHS OIG found that, though the agency worked to develop policies to reduce risks to the information on its own critical system, there were “security deficiencies” in “access controls” and “awareness and training.” 

You can read the report below:

After a review of the system, DHS OIG found inactive user accounts were not consistently disabled or removed, according to established rules. Of 2,776 users analyzed, 40% had not accessed the system for extended periods, despite CISA’s internal policy requiring removal of inactive accounts after a certain period has elapsed. DHS OIG concluded this increased the risk of unauthorized access to the system. 

The inspector general also identified several users of the system who failed to complete mandatory cybersecurity awareness training. Records reviewed by the watchdog showed 15% of sampled users missed initial or annual cybersecurity training. 

Additionally, the DHS OIG found that CISA did not follow its own recommendations when conducting its own review of the system, failing to detect the access control deficiencies identified by the watchdog. 

“CISA also did not always follow the best practices it included in its own security alerts to remove or disable inactive accounts,” the OIG concluded. 

In response to the watchdog’s report, CISA promised to address its own security deficiencies and review the overarching process to assess the security of HVA systems. 

“CISA’s Cybersecurity Division will conduct a comprehensive review of the HVA assessment process and determine appropriate action, as needed, to ensure alignment with broader CISA guidance to the Federal community. This will include major security threats identified in CISA’s alerts and notifications to Federal agencies,” the agency said in a reply to the DHS OIG, estimating that it would complete the review in June 2025. 

CISA was formed in 2018 under the Trump administration to meet growing cybersecurity threats and evolved from the National Protection and Programs Directorate, a component of the Homeland Security Department that was formed in 2007. 

Just two years later, the agency, under the leadership of Director Christopher Krebbs, set out to combat election “misinformation” in the 2020 presidential election. 

"Flagging" programming to target "disinformation"

As part of this effort, CISA partnered with the Election Integrity Partnership, a consortium comprised of four member organizations: Stanford Internet Observatory, the University of Washington's Center for an Informed Public, the Atlantic Council's Digital Forensic Research Lab, and social media analytics firm Graphika. In its after-action report on the 2020 election, the consortium highlighted that it flagged over 4,800 URLs—which were shared nearly 22 million times on Twitter alone—for social media platforms.

The consortium set up a concierge-like service in 2020 that allowed federal agencies like CISA to file "tickets" requesting that online story links and social media posts be censored or flagged by Big Tech, Just the News previously reported. The State Department’s Global Engagement Center also drew scrutiny from Republicans over its participation in the service. 

The Supreme Court last year batted down a lawsuit that challenged the government’s ability to coordinate with social media companies about content moderation policies. In a 6-3, the conservative court ruled that the plaintiffs did not have standing to bring suit. 

The Facts Inside Our Reporter's Notebook

Documents

Links

Related Articles

Unlock unlimited access

  • No Ads Within Stories
  • No Autoplay Videos
  • VIP access to exclusive Just the News newsmaker events hosted by John Solomon and his team.
  • Support the investigative reporting and honest news presentation you've come to enjoy from Just the News.

    • Top Stories

    Trending

    Just the News Spotlight

    Just News, No Noise

    Support Just the News

    The Latest