IG infosec reports cite agency shortcomings

Guidance on the Release of Security Act Reports

Agencies have submitted the first set of reports on their information security practices, and Office of Management and Budget officials are holding tight to the reviews prepared by chief information officers. But those released by inspectors general provide a glimpse into the security problems facing agencies.

Each agency had to submit two assessments of its information security policies under the Government Information Security Reform Act signed last October as part of the fiscal 2001 Defense Authorization Act. GISRA not only requires agencies to better manage their security, it also requires them to document their progress through a self-assessment and an independent review by the IGs.

OMB allowed IGs to choose whether or not to release their reports to the public. Several—including those from the Agriculture, Transportation and Energy departments—have made their reports available on their Web sites.

Those reports reveal many common problems, including weak controls that allow unauthorized employees to access sensitive systems. But the IGs also found evidence that agencies are starting to adopt practices advocated by central resources such as the CIO Council.

Although the reports may raise the awareness of agency executives, they may not prove entirely helpful to the people working on security, said William Hadesty, the USDA's associate CIO for cybersecurity.

The USDA has established a departmentwide security program and has enacted many of the measures required by law at the department level. But few of them have filtered down to the agency level, especially with regard to incident response and performance measures, according to the USDA's IG office.

The USDA has begun instituting many of the security practices required by GISRA, Hadesty said at the E-Gov Information Assurance Conference last month. But the GISRA guidelines issued by OMB earlier this year will not help the department address its weaknesses, he said.

GISRA does not spell out the ramifications for agencies whose assessments reveal poor security, but it does require agencies to provide a follow-up report with re.mediation plans and milestones for fixing weaknesses. Hadesty said he does not expect those plans to help the USDA either because they will be based on the GISRA format.

Instead, he is awaiting the results of a General Accounting Office review of GISRA and the OMB guidance on developing the reports. Rep. Stephen Horn (R-Calif.), chairman of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, requested the review in March.


GISRA conclusions

Information security reports recently prepared by agency inspectors

general revealed these weaknesses:

* No standard for minimum security training requirements at the Agriculture


* Poor internal access controls at the Energy Department, where at least

nine employees were able to access the network without passwords.

* Inconsistent enforcement of external access controls; the Transportation

Department IG was able to access almost 270 systems from the Internet.

* Fewer than half of DOE's offices consistently reported to the department's

incident response center.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.