Agencies riddled with security holes, GAO says

A performance audit shows that agencies are putting data at risk

A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today. GAO also said the process agencies use to report progress on information security needs to be improved.

In a report released today, GAO said agencies have persistent weaknesses in the controls they place on information systems and insufficient information security policies. The GAO's auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems.

“These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

GAO said that according to its previous findings and those from agency inspectors general, agencies have persistent weaknesses in the access controls, configuration management controls they use to protect data. In addition, problems also existed with their segregation of duties, continuity of operations planning and agencywide information security programs. GAO said almost all 24 major federal agencies had weaknesses in information security controls.

Meanwhile, the auditors said the current FISMA reporting process doesn’t produce data to accurately gauge the effectiveness of agencies' information security activities. In addition, GAO said OMB annual reporting instructions to agency for FISMA reports weren’t always clear and OMB didn’t put key information about problems identified by the IGs in its report to Congress. GAO also said OMB didn’t approve or disapprove agency information security programs.

To correct the problems, the auditors recommended that OMB:

  • Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies’ processes for developing inventories, keeping track of contractor operations, and providing specialized security training.
  • Clarify and improve reporting instructions to inspectors general for certification and accreditation evaluations.
  • Include in the report to Congress a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
  • Approve or disapprove agency information security programs after review.

Vivek Kundra, the federal chief information officer, said in response to the report that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.

Kundra also responded that each year OMB reviews all FISMA reports from agencies and IGs year and uses that information to evaluate agencies' security management programs.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.