Help available for security risk, GAO says

Although information security is one of two governmentwide issues labeled "high-risk," guidance and legislation issued over the past six months could significantly reduce federal agencies' risk, according to the General Accounting Office.

Security has been on the GAO high-risk list since 1997, but threats have increased over the past two years, and the government's ability to respond has not kept pace.

Many improvements have been made in response to numerous GAO and inspector general reports, but security program management "continues to be a widespread and fundamental problem," according to GAO's high-risk report, released Jan. 17.

"In reports to our committee, GAO has targeted agency vulnerabilities and made scores of helpful recommendations," said Sen. Joseph Lieberman (D-Conn.). "Based on these reports, the committee reported out a computer security bill which was enacted by Congress last year."

That bill, the Government Information Security Act, became part of the 2001 Defense Authorization Act that President Clinton signed in October. The new legislation requires agencies to adopt many of the management practices advocated by GAO and undergo annual independent evaluations of the agency's security management policies and practices.

This legislation, coupled with new tools and guidance from the CIO Council and the Office of Management and Budget, could help agencies start to catch up with the vulnerabilities they face as they increasingly depend on computers and the Internet, the GAO report stated.

Key among these tools is the CIO Council's Information Technology Security Assessment Framework, a tool for agencies to determine the effectiveness of their security programs. But according to GAO it is important to maintain the momentum started by the release of the framework by ensuring it is used and its results are further evaluated by agencies.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected