High-impact federal systems are vulnerable and under constant assault

Federal agencies could do more to secure high-impact systems, starting with fully implementing their own comprehensive information security programs, the Government Accountability Office said in a report released June 21.

The systems GAO surveyed are "those that hold sensitive information, the loss of which could cause individuals, the government or the nation catastrophic harm," the report states.

GAO said the 24 agencies governed by the Chief Financial Officers Act have a total of 912 high-impact systems -- almost 10 percent of their systems.

Auditors questioned 18 of those agencies more closely. In fiscal 2014, the 18 agencies reported 2,267 security incidents that targeted their high-impact systems. Nearly 500 involved the installation of malicious code, and 202 pertained to unauthorized access.

The high-impact incidents are part of a broader trend: a 1,303 percent increase in federal information security incidents from 2006 to 2015.

The 18 agencies reported a wide variety of attack vectors, but the old threat -- risky clicks via web- and email-based phishing attempts -- led to most breaches.

The agencies said nation-state actors are among the most serious cyber adversaries testing their high-impact systems.

GAO took a deeper look at four agencies: NASA, the Office of Personnel Management, the Department of Veterans Affairs and the Nuclear Regulatory Commission.

In that deep dive into two high-impact systems at each of the four agencies, GAO found that authorization (or making sure users have the fewest privileges needed to get their jobs done) and boundary protection were weak in every system.

In some cases, patches weren't kept up-to-date or training programs were lacking.

GAO determined that more thorough implementation of existing information security plans would help better secure agencies' systems. The report urges the Office of Management and Budget to issue its revised Circular A-130 to provide agencies with solid security guidance.

GAO also made broad recommendations for NASA, OPM, the VA and NRC, and issued limited-release technical recommendations.

NASA, the VA and NRC concurred with GAO’s recommendations, but OPM took issue with some aspects of the report in its reply comments.

OPM Associate CIO David Vargas said one system under scrutiny belonged to a contractor, and, therefore, OPM didn't have direct responsibility for software patches and training. He also said GAO did not supply the information OPM requested so that the agency could confirm the watchdog's findings. GAO said the information in question had initially been supplied by OPM.

But the procedural quibbles were not the main thrust of GAO's critique.

"Without comprehensive security control assessments, OPM is at increased risk that it may not detect vulnerabilities in its systems," GAO warned.

The Senate Homeland Security and Governmental Affairs Committee publicized the report as a cause for continued congressional oversight.

"I remain concerned that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems," Chairman Ron Johnson (R-Wis.) said in a statement.

"GAO's report details key improvements that must be immediately implemented by the four agencies covered in this report, including OPM," Sen. Susan Collins (R-Maine) said. "The work done by GAO helps to ensure that all our federal networks and databases are properly protected and secured."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.