Agencies struggle with securing computers, GAO reports

Senators are taking action to get agencies on track with securing their computer systems from cyber attacks

Despite the frequency in cyberattacks against government networks, no major agency has fully secured its computers to the specifications in two major White House protection initiatives, a pair of new reports said.

No agency has met all of the requirements of the Trusted Internet Connection (TIC) or the Federal Desktop Core Configuration (FDCC) initiatives, the Government Accountability Office reported today. As a result, senators are drafting legislation to deal with many of the lessons learned in starting these key cybersecurity initiatives, Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman (I-Conn.) said today after GAO’s reports were released.

Lieberman and Sen. Susan Collins of Maine, the committee’s ranking Republican, also sent letters today to Office of Management and Budget Director Peter Orszag and Homeland Security Secretary Janet Napolitano asking them to report on how they will carry out GAO’s recommendations.


Related stories:

DHS releases new details on Einstein 3 intrusion prevention pilot

DOE pitches $10M for energy cybersecurity

5 tips for cybersecurity-training your employees


In light of the cyberattacks, the FDCC’s objectives are to improve information security and reduce overall information technology operating costs. The initiative provides a baseline level of security standards that agencies can apply to their government-owned desktop and laptop computers. The initiative can potentially increase agencies’ information security by requiring stricter security settings on computers. By standardizing agencies’ computer management, the government can apply updates or patches more easily.

Similarly, the TIC’s goals are to secure agencies’ external network connections, such as Internet connections. In carrying out the initiative, agencies could either provide their own access points by becoming an access provider or seek service from these providers or a select set of vendors.

None of the 24 agencies that are required to make the FDCC changes made all of the prescribed configuration settings on their computers as of September 2009. However, several met agency-defined subsets of the initiative’s settings, GAO reported.

None of the 23 agencies under the TIC's rules had met all the requirements as of September 2009 and most agencies have had delays in dealing with TIC. For example, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. That is 225 more than they had planned, according to GAO.

Meanwhile.  agency officials said they have made progress in reducing their external connections to the Web, according to the report.

It isn’t easy to implement all those changes, GAO conceded. For the FDCC, agencies must retrofit applications and systems in their existing states. They must assess the risks associated with the deviations and make sure computers work properly after the making the changes, GAO states.

Despite the rigorous standards, the government has to protect its information and systems because of the frequency of information security incidents at federal agencies, the wide availability of hacking tools, and steady advances in the sophistication of attack technology, according to GAO.

“Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security,” Lieberman said.

Sen. Tom Carper (D-Del.), chairman of the committee’s Federal Financial Management, Government Information, Federal Services, and International Security Subcommittee, said he hopes the president will sign by the end of the year the U.S. Information and Communications Enhancement Act, which includes major system security reforms.

Agencies officials generally agreed with the GAO’s assessment.

In one response to GAO, Linda Cureton, chief information officer at NASA, wrote that the future guidance for FDCC standards must keep pace with industry updates in common operating systems and applications.

“The FDCC technical guidance and policy releases tend to lag behind software releases,” she wrote, adding that pace is important if the initiatives are to remain relevant.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.