Federal IT security incidents increasing rapidly

Information security incidents at 24 federal agencies have increased more than 600 percent during the last five years due to a combination of more numerous threats and persistent shortcomings in security controls, the Government Accountability Office said in a report dated Oct. 3.

GAO said it had previously made hundreds of recommendations on how to improve the agencies’ information protection practices and their compliance with the Federal Information Security Management Act, but although agencies mostly agreed with the need to beef up security, implementation was spotty and hacking and unauthorized access incidents continued to rise. As a result, the agencies had a 650 percent rise in security incidents, from 5,503 in fiscal 2006 to 41,776 in fiscal 2010, GAO said.

“Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk,” GAO concluded.

“Until hundreds of recommendations are implemented and program weaknesses are corrected, agencies will continue to face challenges in securing their information and information systems,” the report said.


Related story:

GAO cites information security weakness


Sen. Tom Carper (D-Del.) said the report adds urgency to the need to pass legislation he introduced with Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) to strengthen cybersecurity.

“These findings are all the more troubling given that GAO has been telling us for some time that these are areas of vulnerability and must be addressed, yet we still haven't made enough progress in shoring up these obvious weaknesses,” Carper said. “Federal agencies need to fully implement meaningful security programs that can withstand the serious cyber challenges we face today and will face for the foreseeable future, and they need the proper oversight and guidance to accomplish that goal. The implementation of FISMA was a good start, but it is clear more steps need to be taken to enhance the federal government's information security.”

The report recommended that the Office of Management and Budget provide performance targets for metrics included in its annual FISMA reporting instructions. OMB responded that it would be more appropriate for the Homeland Security Department to provide the metrics, and GAO agreed.





About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Wed, Oct 5, 2011 WhatIARules

The problem as I see it is that any PM can accept the risks and there is little to no effort to stop them. Why are there 3 MAC levels? When 2 will do. When an IAM is faced with disagreeing with the boss, it usually means that the IAM will be replaced or shelled away from what is happening inside the program. The local DAA who is supposed to provide that IAM with support is never present and will not engage in that fight, due to their "peer" pressure. Or in the other case, the IAM's are so bad at their job, they let everyone else do it for them are not responsible or accountable. So everything slides to the right. MS's get passed, they issue ATO's and then we turn the other cheek and field these ticking time-bomb issues. Knowing well that they won't be fixed, the PM's move on and its never heard of again. (The PM 2yr PCS Shuffle). Then a new PM comes in and receives more money for sustainment efforts that never get resolved.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above