The Secret Service refused to hand over mandatory data on its computer security systems to the Department of Homeland Security (DHS) during fiscal 2014, a new watchdog report finds.

The report, released publicly by the DHS Office of the Inspector General on Monday, found that Secret Service's "refusal to provide the required data created a significant deficiency in the Department’s information security program," making it difficult for Homeland Security to know if security practices were put in place.

ADVERTISEMENT

"Your agency's action puts at risk its own information systems and those of the Department as a whole," DHS Inspector General John Roth wrote in an Oct. 29 letter to acting Secret Service Director Joseph Clancy. 

The letter came just weeks after Clancy took over the Secret Service following the resignation of embattled director Julia Pierson. Pierson's tenure saw a series of high-profile security lapses by the agency, including an incident where a man with a knife breached the White House fence and entered the East Room.

Roth said the person responsible for turning over the data on the unclassified security systems informed the DHS on Sept. 12 that they would not provide the information "due to concerns for operational safety."

"I am deeply concerned that your agency's unwillingness to provide the required continuous monitoring data feeds prevents the Department from overseeing and managing an effective information security program," Roth wrote to the Secret Service.

Two months later in a Nov. 7 letter, Clancy told the DHS they had signed a memorandum of understanding and that concerns over sharing data were "resolved." 

The watchdog report also found that other agencies the DHS oversees could do more to protect the security of their information. 

The report found FEMA and the U.S. Citizenship and Immigration Service (USCIS), the primary agency tasked with carrying out the president's executive action on immigration, still use the Microsoft Windows XP operating system — potentially vulnerable to hacking since "Microsoft stopped providing software updates to mitigate security vulnerabilities in April 2014."

It also faulted the USCIS for "not mitigating high-risk vulnerabilities." The report cites a July incident where a pair of the agency's workstations had software vulnerable to the Heartbleed bug more than two weeks after receiving an alert, which "may have exposed sensitive DHS data to potential exploits." The USCIS later said it had removed the software.

“DHS has worked to improve and secure its vast IT resources, but those improvements can only be effective if component agencies fully adhere to the rules and DHS management vigorously enforces compliance," the inspector general said in a statement Monday.

"Failure to do so will pose a serious threat to DHS and its Homeland Security missions," he added.