GAO: Common desktop configuration holds promise for better security

Agencies have not adopted — or are only slowly implementing — numerous recommendations and actions that could significantly improve the federal security posture, the Government Accountability Office has said.

GAO also reported that agencies did make incremental but steady progress in improving information security in 2007.

Persistent weaknesses in agency information security controls still threaten the confidentiality, integrity and availability of federal information and the systems on which the data runs, said Gregory Wilshusen, director of GAO’s information technology issues. The latest report to Congress on agencies’ compliance with the Federal Information Security Management Act also showed a jump in reported security incidents. 

GAO audits continue to identify similar conditions in financial and nonfinancial systems, including agencywide weaknesses as weaknesses in critical federal systems. For example, 20 of 24 major agencies indicated that inadequate information security controls were a significant deficiency or a material weakness for financial statement reporting, he said.

in addition to acting on past recommendations, agencies should take advantage of more robust security control testing, information security performance metrics and independent evaluations, Wilshusen said. He also urged agencies to implement user identification and authentication, authorization, boundary protections, encryption, and audit and monitoring.

“Until such opportunities are seized and fully exploited and the hundreds of GAO and [inspector general] recommendations to mitigate information security control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain at undue and unnecessary risk,” Wilshusen said March 12 at a hearing of the Senate Homeland Security and Governmental Affairs Committee’s Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.

Agencies' most persistent weaknesses are in access controls, configuration management controls, segregation of duties, continuity-of-operations planning and agencywide information security programs, Wilshusen said. Agencies may not be fully aware of the security control weaknesses in their systems, leaving them vulnerable to attack or compromise.

Agencies in 2007 hit a milestone by certifying and accrediting more than 90 percent of all 10,304 federal systems, said Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology. The C&A process assesses information technology systems for security controls. Some critics of FISMA have said the process has become more paper checklist than a way to evaluate risk and needs to be updated.

Evans cautioned against major changes, saying clarification might be more effective. Instead, those in oversight should keep monitoriing what agencies are doing and whether they are implementing solutions.

Evans testified that if agencies perform the work only to comply with OMB, those are just paper exercises. But many agencies use the guidance and conduct FISMA procedures to discover and manage risk to serve the mission, she said.

“You need to use FISMA as an indicator,” Evans said. “We pick certification and accreditation because we think it measures a life cycle for assessing risk.” Agency executives then sign off on the process, accepting the risk.

Agencies improved the quality of the C&A process in 2007, with 76 percent of agency inspectors general rating quality as satisfactory or better, and the number of agencies with the lowest rating decreased to four from nine, Evans said. “The goal is to be able to analyze this information and then fix the systemic problems.”

One agency that has excelled in information security is the U.S. Agency for International Development. Philip Heneghan, USAID chief information security officer, told lawmakers that senior executive buy-in, extensive training and having business owners lead certification and accreditation of systems helped the agency achieve a high grade. The agency also has a centralized IT environment. USAID en gages its executives, managers and systems administrators.

For each system and network, USAID has identified an executive who owns it, has responsibility for it and is in the best position to make risk-based decisions regarding the system’s security controls, he said.

USAID also relies on technologies that automate the collection and reporting of security information and metrics in a risk-based approach. A vulnerability management program continually scans the systems on its network to measure their security posture. USAID is one of six pilot agencies for the Einstein program to reduce the number of external Internet connections, the basis of OMB’s governmentwide Trusted Internet Connections program.

OMB has directed agencies to strengthen federal information systems. Many security problems stem from configuration or patch management issues. One of its requirements is the Federal Desktop Core Configuration, under which agencies that have Microsoft Windows XP and plan to upgrade to Windows Vista operating systems will adopt security configurations developed by the National Institute of Standards and Technology and the Defense and Homeland Security departments.

“FDCC holds a lot of promise. It [gives] the ability to secure a system right out of the box,” Wilshusen said.

During the final year of the administration, Evans said she will focus on:

  • Achieving 100 percent of systems certified and accredited.

  • Identifying and providing oversight of contractor systems.

  • Reducing or eliminating systems that are uncategorized by risk impact level.

  • Improving agencies' identification and reporting of security incidents.

  • Increasing general and job-specific security training for federal employees and contractors.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group