GAO: Federal agencies lack basic wireless security

More than two years after the National Institute of Standards and Technology warned of the security risks posed by wireless networks, a new study shows that government agencies have done little to improve wireless security.

“Despite the risks associated with wireless networks, federal agencies have not fully implemented key controls for securing these networks,” the Government Accountability Office concluded in a report released today.

GAO recommended that the Office of Management and Budget require agencies to ensure that wireless security is incorporated into their information security programs under the Federal Information Security Management Act.

Among GAO’s findings at 24 executive branch agencies:

  • Nine agencies had no policies on wireless networks, and several agencies had incomplete policies.

  • Thirteen agencies had no configuration requirements for wireless equipment.

  • Fourteen agencies did no monitoring to ensure compliance with wireless policies. Most monitored only sporadically, some as little as twice a year.

  • Eighteen agencies have no wireless security training programs.

In addition to surveying policies and practices, GAO tested wireless security at six agency headquarters in downtown Washington. All six exhibited a host of problems. Among them:

  • Signals leaked outside of all headquarters buildings, in one case as far as several blocks.

  • All had insecure configurations of wireless equipment. In one agency, 90 laptops were trying to associate with wireless networks while connected to the wired network.

  • All had unauthorized wireless devices operating within the networks.

Government offices were not alone in exhibiting these problems. In a 15-block drive around downtown Washington with a wireless scanner, GAO auditors reported detecting more than 1,000 wireless networks.

In Special Publication 800-48 released in November 2002, NIST pronounced wireless networks “the logical equivalent of an Ethernet port in the parking lot” and warned agencies that wireless security takes far more effort than for a wired network. It offered voluntary guidelines for locking down wireless networks and is working on updated guidance, expected to be issued for public comment in August.

“Currently, the lack of key controls in federal agencies means that unauthorized or poorly configured wireless networks could be creating new vulnerabilities,” GAO concluded.

GAO recommended, and OMB agreed, that agencies should be required to implement basic controls, including:

  • Comprehensive policies in the implementation and use of wireless networks.

  • Configuration requirements for deployment of wireless security tools.

  • Monitoring programs to ensure policy is being followed.

  • Training for employees and contractors on wireless policies.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected