Agencies riddled with security holes, GAO says

A performance audit shows that agencies are putting data at risk

A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today. GAO also said the process agencies use to report progress on information security needs to be improved.

In a report released today, GAO said agencies have persistent weaknesses in the controls they place on information systems and insufficient information security policies. The GAO's auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems.

“These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

GAO said that according to its previous findings and those from agency inspectors general, agencies have persistent weaknesses in the access controls, configuration management controls they use to protect data. In addition, problems also existed with their segregation of duties, continuity of operations planning and agencywide information security programs. GAO said almost all 24 major federal agencies had weaknesses in information security controls.

Meanwhile, the auditors said the current FISMA reporting process doesn’t produce data to accurately gauge the effectiveness of agencies' information security activities. In addition, GAO said OMB annual reporting instructions to agency for FISMA reports weren’t always clear and OMB didn’t put key information about problems identified by the IGs in its report to Congress. GAO also said OMB didn’t approve or disapprove agency information security programs.

To correct the problems, the auditors recommended that OMB:

  • Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies’ processes for developing inventories, keeping track of contractor operations, and providing specialized security training.
  • Clarify and improve reporting instructions to inspectors general for certification and accreditation evaluations.
  • Include in the report to Congress a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
  • Approve or disapprove agency information security programs after review.

Vivek Kundra, the federal chief information officer, said in response to the report that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.

Kundra also responded that each year OMB reviews all FISMA reports from agencies and IGs year and uses that information to evaluate agencies' security management programs.

About the Author

Ben Bain is a reporter for Federal Computer Week.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Fri, Jul 24, 2009 KB DC

It's a very complex issue; exactly what are the IT security requirements that developers and integrators are required to install? There are more than 400 of them in NIST SP 800-53A; but has any techie developer ever seen them? No, only the ISSM/ISSOs and their contractor staff. The techies and their managers choke at them ('You can't expect me to implement all those on this system- there are more of them than our functional requirements!') also, they aren't written in 'requirements' language for a developer to implement, instead they're written in 'policy' language; general enough to apply to any generic system. Also, the Fed C&A staffs are so busy documenting the findings and every test step of the 53A that they have limited or rushed time to work with managemnt or Operations staff to FIX to POA&Ms - or are hesitant to create PoA&Ms for the extra work it'll cause.

Fri, Jul 24, 2009 Federal CIO

We have a simple remedy at our facilities: end users who fail to comply with IA training requirements have network access revoked. Security breaches are treated equally as harshly- workstations are locked down, and if the breach is significant enough the employee is terminated or subject to civilian or UCMJ disciplinary actions. The risk to defense networks is too great to allow workstations not to be locked down for mission essential tasks. Usually, however, a thorough discussion of the real risks to our networks, and the OPSEC and privacy considerations convinces most responsible employees of the need for workplace restrictions- it is a matter of education and understanding. More than once I have had fellow employees thank me for apprising them of the real dangers and taking countermeasures at home to protect themselves. They were under the impression that anti-virus programs were all that were required for protection. Their eyes grew wide as I easily demonstrated how easily I could "own them" through primitive assaults on their computers. All users at my facility are required to sign (non-repudiable) an Acceptable Use Agreement which becomes a legal document if necessary for disciplinary actions. There is no excuse of "I did not know." In my business we provide patient care. For my Information Assurance professionals, that also means we take care of the patients' data, OPSEC sensitive data, and Protected Health Information (PHI) and Personally Identifiable Information (PII). There is no excuse for poor security- it is just a poor Command and Control issue. Fortuitously, I don't have that issue, and I have Command support for enforcement.

Wed, Jul 22, 2009 Uncle Dave Chicago

President Ronald Reagan had it right... when the air traffic controllers went on strike, and they refused the invitation to return to work, he fired them. I'd suggest the same tactic be applied to any government worker who doesn't adhere to the rules; give them a chance to reform. If they don't, take action to fire them. The union will complain, they may go on strike, and if they do, then fire them. There are plenty of talented unemployed folks that would gladly take the job.

Tue, Jul 21, 2009

I'm an attorney who tried very hard to run IT for over 20 years in government and kept running into stone walls from CIO's and Technologists who knew little about people and even less about the business and mission of the agency. They only cared about moving to the next level and usually got asked to leave for incompetence and for not "listening". You need to manage the whole package and not just your own little world when you are a CIO.

Tue, Jul 21, 2009

Until you start holding people responsible for not patching vulnerability and not adhering to security practices, you are not going to see any improvement in IT security. The two major areas that need to be considered are privacy and privileges. Most government IT users think that their government furnished equipment (GFE) is their personal equipment just like at home and they treat it so. As the old saying goes “if I had a dime for every time I heard a word or phrase I would be a millionaire”; that phrase in the IT world is “you can’t do that this is my computer”! The other major area is what the user can or cannot do on GFE. Installing music, changing the background, chatting, all are vectors for attack. The average user should only have enough access and privileges to do their job, nothing more. So lock then down so that they can only do “work” and enforce the rules.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above