Agencies struggle with securing computers, GAO reports

Senators are taking action to get agencies on track with securing their computer systems from cyber attacks

Despite the frequency in cyberattacks against government networks, no major agency has fully secured its computers to the specifications in two major White House protection initiatives, a pair of new reports said.

No agency has met all of the requirements of the Trusted Internet Connection (TIC) or the Federal Desktop Core Configuration (FDCC) initiatives, the Government Accountability Office reported today. As a result, senators are drafting legislation to deal with many of the lessons learned in starting these key cybersecurity initiatives, Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman (I-Conn.) said today after GAO’s reports were released.

Lieberman and Sen. Susan Collins of Maine, the committee’s ranking Republican, also sent letters today to Office of Management and Budget Director Peter Orszag and Homeland Security Secretary Janet Napolitano asking them to report on how they will carry out GAO’s recommendations.

Related stories:

DHS releases new details on Einstein 3 intrusion prevention pilot

DOE pitches $10M for energy cybersecurity

5 tips for cybersecurity-training your employees

In light of the cyberattacks, the FDCC’s objectives are to improve information security and reduce overall information technology operating costs. The initiative provides a baseline level of security standards that agencies can apply to their government-owned desktop and laptop computers. The initiative can potentially increase agencies’ information security by requiring stricter security settings on computers. By standardizing agencies’ computer management, the government can apply updates or patches more easily.

Similarly, the TIC’s goals are to secure agencies’ external network connections, such as Internet connections. In carrying out the initiative, agencies could either provide their own access points by becoming an access provider or seek service from these providers or a select set of vendors.

None of the 24 agencies that are required to make the FDCC changes made all of the prescribed configuration settings on their computers as of September 2009. However, several met agency-defined subsets of the initiative’s settings, GAO reported.

None of the 23 agencies under the TIC's rules had met all the requirements as of September 2009 and most agencies have had delays in dealing with TIC. For example, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. That is 225 more than they had planned, according to GAO.

Meanwhile.  agency officials said they have made progress in reducing their external connections to the Web, according to the report.

It isn’t easy to implement all those changes, GAO conceded. For the FDCC, agencies must retrofit applications and systems in their existing states. They must assess the risks associated with the deviations and make sure computers work properly after the making the changes, GAO states.

Despite the rigorous standards, the government has to protect its information and systems because of the frequency of information security incidents at federal agencies, the wide availability of hacking tools, and steady advances in the sophistication of attack technology, according to GAO.

“Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security,” Lieberman said.

Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services, and International Security Subcommittee, said he hopes the president will sign by the end of the year the U.S. Information and Communications Enhancement Act, which includes major system security reforms.

Agencies officials generally agreed with the GAO’s assessment.

In one response to GAO, Linda Cureton, chief information officer at NASA, wrote that the future guidance for FDCC standards must keep pace with industry updates in common operating systems and applications.

“The FDCC technical guidance and policy releases tend to lag behind software releases,” she wrote, adding that pace is important if the initiatives are to remain relevant.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Apr 16, 2010

Breath_Deeply, do you know that FDCC is? "Federal DESKTOP Core Configuration". A desktop is a PC not a server or other device (laptops should be covered by FDCC as well). There is no FSCC (Federal Server Core Configuration) to date. There are other guidances for servers provided by NIST. I did not mean to imply that the users should do anything they want with the government's computers. Only that many users have jobs that require functionality that is restricted by the FDCC settings.

Wed, Apr 14, 2010

They are called personal computers because of IBM Marketing and the fact that they were not multi-user systems when they came out. That has nothing to do with ownership rights over how a system is used. The federal government employees do not own their "Personal Computers", therefore they do not have the right to dictate how they are used. The employer as the equipment owner has provided an employee with a tool to be used within a defined set of guidelines. No different than the requirements placed upon the use of agency motor vehicles. Forget the term personal computer, unless you own the computer, it's not personal, it's property rights.

Wed, Apr 14, 2010 Breath_Deeply

The core take away from this entire article is that agencies are not going the extra mile by implementing viable Projects of Actions and Milestones, as well as, mitigation reports/plans that justify the reasons why certain security settings cannot be placed on government owned devices, not PCs as a previous poster indicated. If there is justifiable proof that certain security measures cannot be implemented, then any authority will way the odds (i.e., risk) and decide how to handle that particular finding… In other words, junk in junk out… If agencies really wanted to do this, they would, otherwise they will just give excuses why they cannot meet the FDCC requirements and cause more trouble for themselves in the end.

Wed, Apr 14, 2010

Unfunded or barely funded mandates have a tendency to not get done. Production still must be met so the equipment is removed from the network and works off-line. Give the CIO the power to control the funding of systems and there will be changes.

Tue, Apr 13, 2010

How do you expect agencies to "lock down" desktops when almost every Federal employee thinks they are so important that the rules should not apply to them? There is also the problem of trying to get work done when you don't have the ability or permissions to use your "personal" computer and customize it as you would like. Why do you think they call them "personal computers"?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group