GAO: Although Progress Reported, Federal Agencies Need to Resolve Significant Information Security Deficiencies
By admin - Posted on February 15th, 2008
February 14, 2008 -- Information security is especially important for federal agencies, where the public's trust is essential and poor information security can have devastating consequences. Since 1997, GAO has identified information security as a governmentwide high-risk issue in each of its biennial reports to the Congress.
Concerned by reports of significant weaknesses in federal computer systems, Congress passed the Federal Information Security Management Act (FISMA) of 2002, which permanently authorized and strengthened information security program, evaluation, and annual reporting requirements for federal agencies. GAO was asked to testify on the current state of federal information security and compliance with FISMA. This testimony summarizes (1) agency progress in performing key control activities, (2) the effectiveness of information security at federal agencies, and (3) opportunities to strengthen security. In preparing for this testimony, GAO reviewed prior audit reports; examined federal policies, guidance, and budgetary documentation; and analyzed agency and inspector general (IG) reports on information security.
Over the past several years, federal agencies consistently reported progress in performing certain information security control activities. According to the President's proposed fiscal year 2009 budget for information technology, the federal government continued to improve information security performance in fiscal year 2007 relative to key performance metrics established by the Office of Management and Budget (OMB). The percentage of certified and accredited systems governmentwide reportedly increased from 88 percent to 92 percent. Gains were also reported in testing of security controls - from 88 percent of systems to 95 percent of systems - and for contingency plan testing - from 77 percent to 86 percent. These gains continue a historical trend that GAO reported on last year. Despite reported progress, major federal agencies continue to experience significant information security control deficiencies. Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, patch key servers and workstations in a timely manner, assign duties to different individuals or groups so that one individual did not control all aspects of a process or transaction, and maintain complete continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs. As a result, federal systems and information are at increased risk of unauthorized access to and disclosure, modification, or destruction of sensitive information, as well as inadvertent or deliberate disruption of system operations and services. Such risks are illustrated, in part, by an increasing number of security incidents experienced by federal agencies. Nevertheless, opportunities exist to bolster federal information security. Federal agencies could implement the hundreds of recommendations made by GAO and IGs to resolve prior significant control deficiencies and information security program shortfalls. In addition, OMB and other federal agencies have initiated several governmentwide initiatives that are intended to improve security over federal systems and information. For example, OMB has established an information systems security line of business to share common processes and functions for managing information systems security and directed agencies to adopt the security configurations developed by the National Institute of Standards and Technology and Departments of Defense and Homeland Security for certain Windows operating systems. Opportunities also exist to enhance policies and practices related to security control testing and evaluation, FISMA reporting, and the independent annual evaluations of agency information security programs required by FISMA.
Subject Terms
Computer security
Computer systems
Controlled access
Federal agencies
Information security
Information security management
Information security regulations
Internal controls
Policy evaluation
Program evaluation
Program management
Reporting requirements
Risk assessment
Risk management
Systems integrity
GAO High Risk Series
Source: GAO
Scroll down for related articles:
Related articles
- 2008-02-15: GAO: Although Progress Reported, Federal Agencies Need to Resolve Significant Information Security Deficiencies
- 2008-03-31: Most College Students Are Covered through Employer-Sponsored Plans, Some Colleges/States Are Taking Steps to Increase Coverage
- 2008-03-31: Comments on the Office of Personnel Management's February 20, 2008 Report to Congress Regarding the Retirement Systems Moderniza
- 2008-03-31: Additional Efforts to Better Assess Joint Ventures Needed for VA Health Care
- 2009-10-20: GAO Report Shows Military Body Armor Tests Still Fall Short
- 2009-10-15: Sen. Carper Applauds Low-Cost Reductions Of Mercury Emissions
- 2009-10-08: Gonzalez & Burgess Call For Protections Against Hackers And Data Breaches
- 2009-06-24: Senator Murray on Job Corps
- 2009-06-10: Senators Boxer and Lautenberg on GAO Report on Biomonitoring for Toxic Chemicals
- 2009-06-04: Senators Release GAO Report on SEC Enforcement Failures
- 2009-06-03: Senator Daniel Akaka Calls for Strategic Human Capital Planning for Nuclear Forensics Program Following GAO Report
- 2009-03-05: UCS: Massive Federal Loan Guarantees for New Nuclear Power Plants Would Put Taxpayers, Ratepayers at Risk
