The DHS inspector general released a report today entitled “Additional Guidance and Security Controls Are Needed Over Systems Using RFID at DHS” which takes a comprehensive view of the Department’s use of RFID technology, building on work in recent IG reports (see here and here). The report gives DHS relatively positive marks for its use of RFID, one that belies a lot of the recent criticism of the Department’s use of the technology:
CBP, TSA, and US-VISIT have implemented effective physical security controls over RFID tags, readers, computer equipment, and databases supporting the RFID systems at the sites visited. No personal information is stored on the tags. Sensitive information is maintained in and can be obtained only with access to the systemâ€™s database.
Within this broader positive context, the report offers several points of criticism, but these are more about management and internal process than the actual use of the technology. The report concludes with the following recommendations to the DHS CIO:
â€¢ Develop and implement policy and guidance that addresses security controls for systems being implemented using RFID technology.
â€¢ Direct the DHS RFID Coordination Group to finalize its charter and ensure that all components using or planning to use RFID technologies are represented in the group.
â€¢ Ensure that components adhere to DHS information security procedures (that is, perform vulnerability assessments and review user access at least annually) for all systems using RFID technology.
This report probably won’t reassure the Spychips crowd, but it indicates to me that DHS is making progress at using RFID technology responsibly.