GAO lists security bargains

Agencies can cut their information systems' security risks with low-cost

and no-cost solutions, federal experts told Congress Wednesday.

The General Accounting Office listed six steps that agencies can take to

immediately cut down on their security risks:

* Increase security awareness throughout the organization.

* Ensure that existing controls are operating effectively.

* Ensure that software patches are up-to-date.

* Use automated scanning and testing tools to quickly identify vulnerabilities.

* Expand the use of best practices throughout the agency.

* Ensure that the most common vulnerabilities are addressed.

In its security audits of agencies, including the departments of Defense

and Veterans Affairs, GAO found that security controls are in place but

that those controls are not being used correctly, said Jack Brock, director

of governmentwide and defense information systems at the General Accounting

Office's Accounting and Information Management Division.

"Agencies are spending money for tools, but they're not using those tools,"

Brock testified before the House Government Reform Committee's Government

Management, Information and Technology Subcommittee. "Tools are present,

but they're not turned on, they're not monitored, you're not sure if they're

working or not."

One agency that has incorporated many of GAO's low-cost solutions into its

agencywide security policy is NASA, which has made many improvements in

security since its GAO audit in 1998, Brock said.

The agency has bought commercial off-the-shelf vulnerability analysis and

scanning tools, but it is augmenting them with freeware and shareware tools

from the Internet. NASA also has developed and distributed a list of its

top 50 vulnerabilities and has built those into auditing tools at NASA centers

so that they automatically scan for those weaknesses, testified David Nelson,

NASA's deputy chief information officer.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected