Agencies riddled with security holes, GAO says

A performance audit shows that agencies are putting data at risk

A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today. GAO also said the process agencies use to report progress on information security needs to be improved.

In a report released today, GAO said agencies have persistent weaknesses in the controls they place on information systems and insufficient information security policies. The GAO's auditors said a recent audit that examined how well agencies were protecting information and complying with the Federal Information Security Management Act (FISMA) found significant problems.

“These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies,” GAO said. “Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk.”

GAO said that according to its previous findings and those from agency inspectors general, agencies have persistent weaknesses in the access controls, configuration management controls they use to protect data. In addition, problems also existed with their segregation of duties, continuity of operations planning and agencywide information security programs. GAO said almost all 24 major federal agencies had weaknesses in information security controls.

Meanwhile, the auditors said the current FISMA reporting process doesn’t produce data to accurately gauge the effectiveness of agencies' information security activities. In addition, GAO said OMB annual reporting instructions to agency for FISMA reports weren’t always clear and OMB didn’t put key information about problems identified by the IGs in its report to Congress. GAO also said OMB didn’t approve or disapprove agency information security programs.

To correct the problems, the auditors recommended that OMB:

  • Update annual reporting instructions to request inspectors general to report on the effectiveness of agencies’ processes for developing inventories, keeping track of contractor operations, and providing specialized security training.
  • Clarify and improve reporting instructions to inspectors general for certification and accreditation evaluations.
  • Include in the report to Congress a summary of the findings from the annual independent evaluations and significant deficiencies in information security practices.
  • Approve or disapprove agency information security programs after review.

Vivek Kundra, the federal chief information officer, said in response to the report that OMB was working to clarify FISMA reporting guidance and improve performance metrics. He also said OMB was planning to move FISMA reporting to an Internet-enabled database for fiscal 2009 reporting.

Kundra also responded that each year OMB reviews all FISMA reports from agencies and IGs year and uses that information to evaluate agencies' security management programs.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.