Agencies riddled with security holes, GAO says

A performance audit shows that agencies are putting data at risk

A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today. GAO also said the process agencies use to report progress on information security needs to be improved.

In a report released today, GAO said agencies have persistent weaknesses in the controls they place on information systems and insufficient information security policies. The GAO's auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems.

“These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

GAO said that according to its previous findings and those from agency inspectors general, agencies have persistent weaknesses in the access controls, configuration management controls they use to protect data. In addition, problems also existed with their segregation of duties, continuity of operations planning and agencywide information security programs. GAO said almost all 24 major federal agencies had weaknesses in information security controls.

Meanwhile, the auditors said the current FISMA reporting process doesn’t produce data to accurately gauge the effectiveness of agencies' information security activities. In addition, GAO said OMB annual reporting instructions to agency for FISMA reports weren’t always clear and OMB didn’t put key information about problems identified by the IGs in its report to Congress. GAO also said OMB didn’t approve or disapprove agency information security programs.

To correct the problems, the auditors recommended that OMB:

  • Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies’ processes for developing inventories, keeping track of contractor operations, and providing specialized security training.
  • Clarify and improve reporting instructions to inspectors general for certification and accreditation evaluations.
  • Include in the report to Congress a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
  • Approve or disapprove agency information security programs after review.

Vivek Kundra, the federal chief information officer, said in response to the report that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.

Kundra also responded that each year OMB reviews all FISMA reports from agencies and IGs year and uses that information to evaluate agencies' security management programs.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.