Systemic Security Lapses in Mobile Management

A Department of Homeland Security (DHS) Office of Inspector General (OIG) report found that the Secret Service failed to maintain adequate security for mobile devices, creating vulnerabilities for protectees and staff. The Office of the CIO (OCIO) is identified as the primary failure point, having failed to implement necessary security software or ensure that government-furnished equipment (GFE) met operational requirements.

Key security failures include:

  • Normalization of Personal Devices: Due to technical limitations and frequent VPN failures on government-issued devices, employees routinely used personal phones for official business. This practice was so common that the agency reimbursed employees for personal device usage after international travel.
  • Failure to Sanitize Devices: Despite established policies, the agency failed to consistently wipe data from devices after international missions. The report cites instances where phones were not wiped for years, including after travel to high-risk countries.
  • Insecure App Approval: The agency approved the use of applications containing known vulnerabilities, further exposing sensitive information to potential interception.

Obstruction and Agency Response

The audit, which covered the period from October 2022 to April 2025, faced significant friction. The Secret Service delayed the OIG’s access to asset management and travel systems for over 130 days, citing concerns over the scope of data requested. The OIG noted that these delays hindered their ability to independently validate property information and conduct necessary interviews.

Despite the friction, the Secret Service concurred with all five OIG recommendations. The agency has begun remediation efforts, including the development of a formal intake process to ensure mobile capabilities align with mission needs and a new outreach strategy to clarify mobile device usage policies. The OIG has already closed one of the five recommendations, with the remainder pending further evidence of implementation.