GSA fails to follow through with IT security, IG says

Agency fails to apply its own security policy requirements, audit finds

General Services Administration officials have strengthened their agencywide IT security program, but auditors have found managers failing to follow all the procedures to make the program function well.

GSA’s IT officials need to closely watch how security officials apply baseline configuration requirements to IT systems and IT officials also need to include authenticated security scanning to their systems' technical testing processes, according to a review by the agency's inspector general.

“Authenticated scanning would provide a more comprehensive view as to the implementation of GSA’s IT security policy and hardening guides by system security officials,” the IG reported.

The report, released last December, is the fiscal 2010 Federal Information Security Management Act review of GSA’s IT security program. It's an annual audit of the agency’s IT security program and the results of five system security audits conducted during the year.


Related stories:

GSA employee may have exposed entire staff to identity theft

Report: WikiLeaks source exploited security flaw


In those reviews, auditors found weaknesses in database and operating system software that wasn't patched or securely configured and lax password management for database administrator accounts and said the weaknesses stem from a failure of system security officials to apply GSA’s IT security policy core requirements. In addition, officials were not being comprehensive when overseeing the technical testing of systems, the IG reported.

To improve IT system security, the IG recommended that all of GSA’s IT systems that are remotely accessed have a multi-factor authentication. Multi-factor authentication involves accessing IT systems with two or more unique identifiers, such as a user name and password, smart card, and a biometric.

None of the five systems were using the tougher authentications for remote access to sensitive information, the review said, adding that the systems could be accessed with only a user name and password, even though three of the systems include sensitive information.

One of the systems had a requirement to be secured with a multi-factor authentication, but officials didn’t follow up to make sure it was included, the IG said.

GSA also needs to get system security officials to prioritize how they will set up ways to monitor who has been accessing the systems, the report states. In the case of a security breach or unlawful access to information, a log may be a key to the investigation, it added.

"System security officials may be unable to identify unauthorized activity or when GSA systems are compromised" without it, the IG wrote.

GSA agreed with the findings.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.