Critical Read

5 things agencies get wrong about infosec

Shutterstock image.

What: A Government Accountability Office report on persistent info security weaknesses at federal agencies

Why: Despite the Federal Information Security Management Act of 2002, which requires agencies to put cybersecurity programs in place to protect their IT and data, two dozen federal agencies still have persistent weaknesses in information security, according to the Sept. 29 GAO report.

In its report, GAO said protections at federal agency remain mixed. The report said that although most agencies had developed and documented policies and procedures for managing risk, providing security training, and taking remedial actions, among other things, each agency's inspector general reported weaknesses in the processes used to implement FISMA requirements.

The report said most agencies continue to have weaknesses in five areas:

-Limiting, preventing, and detecting inappropriate access to computer resources.

-Managing the configuration of software and hardware.

-Segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation.

-Planning for continuity of operations in the event of a disaster or disruption.

-Implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.

The weaknesses, GAO said, expose critical information and IT systems that support federal operations, assets and personnel at risk, as well as damage agencies’ efforts to fully implement effective information security programs. GAO and agency inspectors general have made "hundreds of recommendations to agencies" about how to address gaps in information security controls and weaknesses in their programs, but many of the recommendations remain unimplemented.

Sen.Tom Carper (D-Del.), ranking member of the Homeland Security and Government Affairs Committee and a co-sponsor of the 2014 update to the FISMA legislation wasn't pleased with the latest GAO report, calling the results "disappointing." But he found a silver lining because the GAO's audit took place before the FISMA update.

The senator said the revised version of FISMA better delineated the roles and responsibilities of the Office of Management and Budget and the Department of Homeland Security in securing federal networks, and moved agencies away from paperwork-heavy processes toward real-time and automated security, as well as put greater management and oversight attention on data breaches.

Carper added that his newly-introduced legislation, the Federal Cybersecurity Enhancement Act of 2015, would help by requiring agencies to adopt key cybersecurity practices and tools, including DHS' Einstein cyber intrusion detection and prevention system, as well as mandate the deployment of cybersecurity best practices at agencies -- such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls.

Verbatim:"The number of information security incidents affecting systems supporting the federal government has continued to increase. Since fiscal year 2006, the number rose from 5,503 to 67,168 in fiscal year 2014: an increase of 1,121 percent."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected