GSA fails to follow through with IT security, IG says

Agency fails to apply its own security policy requirements, audit finds

General Services Administration officials have strengthened their agencywide IT security program, but auditors have found managers failing to follow all the procedures to make the program function well.

GSA’s IT officials need to closely watch how security officials apply baseline configuration requirements to IT systems and IT officials also need to include authenticated security scanning to their systems' technical testing processes, according to a review by the agency's inspector general.

“Authenticated scanning would provide a more comprehensive view as to the implementation of GSA’s IT security policy and hardening guides by system security officials,” the IG reported.

The report, released last December, is the fiscal 2010 Federal Information Security Management Act review of GSA’s IT security program. It's an annual audit of the agency’s IT security program and the results of five system security audits conducted during the year.

Related stories:

GSA employee may have exposed entire staff to identity theft

Report: WikiLeaks source exploited security flaw

In those reviews, auditors found weaknesses in database and operating system software that wasn't patched or securely configured and lax password management for database administrator accounts and said the weaknesses stem from a failure of system security officials to apply GSA’s IT security policy core requirements. In addition, officials were not being comprehensive when overseeing the technical testing of systems, the IG reported.

To improve IT system security, the IG recommended that all of GSA’s IT systems that are remotely accessed have a multi-factor authentication. Multi-factor authentication involves accessing IT systems with two or more unique identifiers, such as a user name and password, smart card, and a biometric.

None of the five systems were using the tougher authentications for remote access to sensitive information, the review said, adding that the systems could be accessed with only a user name and password, even though three of the systems include sensitive information.

One of the systems had a requirement to be secured with a multi-factor authentication, but officials didn’t follow up to make sure it was included, the IG said.

GSA also needs to get system security officials to prioritize how they will set up ways to monitor who has been accessing the systems, the report states. In the case of a security breach or unlawful access to information, a log may be a key to the investigation, it added.

"System security officials may be unable to identify unauthorized activity or when GSA systems are compromised" without it, the IG wrote.

GSA agreed with the findings.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.


  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

  • Cybersecurity
    enterprise security (Omelchenko/

    Does Einstein need a post-SolarWinds makeover?

    A marquee program designed to protect the government against cybersecurity threats is facing new scrutiny in the wake of Solar Winds Orion breach, but analysts say the program was unlikely to have ever stopped the hacking campaign.

Stay Connected