GSA fails to follow through with IT security, IG says

Agency fails to apply its own security policy requirements, audit finds

General Services Administration officials have strengthened their agencywide IT security program, but auditors have found managers failing to follow all the procedures to make the program function well.

GSA’s IT officials need to closely watch how security officials apply baseline configuration requirements to IT systems and IT officials also need to include authenticated security scanning to their systems' technical testing processes, according to a review by the agency's inspector general.

“Authenticated scanning would provide a more comprehensive view as to the implementation of GSA’s IT security policy and hardening guides by system security officials,” the IG reported.

The report, released last December, is the fiscal 2010 Federal Information Security Management Act review of GSA’s IT security program. It's an annual audit of the agency’s IT security program and the results of five system security audits conducted during the year.


Related stories:

GSA employee may have exposed entire staff to identity theft

Report: WikiLeaks source exploited security flaw


In those reviews, auditors found weaknesses in database and operating system software that wasn't patched or securely configured and lax password management for database administrator accounts and said the weaknesses stem from a failure of system security officials to apply GSA’s IT security policy core requirements. In addition, officials were not being comprehensive when overseeing the technical testing of systems, the IG reported.

To improve IT system security, the IG recommended that all of GSA’s IT systems that are remotely accessed have a multi-factor authentication. Multi-factor authentication involves accessing IT systems with two or more unique identifiers, such as a user name and password, smart card, and a biometric.

None of the five systems were using the tougher authentications for remote access to sensitive information, the review said, adding that the systems could be accessed with only a user name and password, even though three of the systems include sensitive information.

One of the systems had a requirement to be secured with a multi-factor authentication, but officials didn’t follow up to make sure it was included, the IG said.

GSA also needs to get system security officials to prioritize how they will set up ways to monitor who has been accessing the systems, the report states. In the case of a security breach or unlawful access to information, a log may be a key to the investigation, it added.

"System security officials may be unable to identify unauthorized activity or when GSA systems are compromised" without it, the IG wrote.

GSA agreed with the findings.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.