High-impact federal systems are vulnerable and under constant assault

Federal agencies could do more to secure high-impact systems, starting with fully implementing their own comprehensive information security programs, the Government Accountability Office said in a report released June 21.

The systems GAO surveyed are "those that hold sensitive information, the loss of which could cause individuals, the government or the nation catastrophic harm," the report states.

GAO said the 24 agencies governed by the Chief Financial Officers Act have a total of 912 high-impact systems -- almost 10 percent of their systems.

Auditors questioned 18 of those agencies more closely. In fiscal 2014, the 18 agencies reported 2,267 security incidents that targeted their high-impact systems. Nearly 500 involved the installation of malicious code, and 202 pertained to unauthorized access.

The high-impact incidents are part of a broader trend: a 1,303 percent increase in federal information security incidents from 2006 to 2015.

The 18 agencies reported a wide variety of attack vectors, but the old threat -- risky clicks via web- and email-based phishing attempts -- led to most breaches.

The agencies said nation-state actors are among the most serious cyber adversaries testing their high-impact systems.

GAO took a deeper look at four agencies: NASA, the Office of Personnel Management, the Department of Veterans Affairs and the Nuclear Regulatory Commission.

In that deep dive into two high-impact systems at each of the four agencies, GAO found that authorization (or making sure users have the fewest privileges needed to get their jobs done) and boundary protection were weak in every system.

In some cases, patches weren't kept up-to-date or training programs were lacking.

GAO determined that more thorough implementation of existing information security plans would help better secure agencies' systems. The report urges the Office of Management and Budget to issue its revised Circular A-130 to provide agencies with solid security guidance.

GAO also made broad recommendations for NASA, OPM, the VA and NRC, and issued limited-release technical recommendations.

NASA, the VA and NRC concurred with GAO’s recommendations, but OPM took issue with some aspects of the report in its reply comments.

OPM Associate CIO David Vargas said one system under scrutiny belonged to a contractor, and, therefore, OPM didn't have direct responsibility for software patches and training. He also said GAO did not supply the information OPM requested so that the agency could confirm the watchdog's findings. GAO said the information in question had initially been supplied by OPM.

But the procedural quibbles were not the main thrust of GAO's critique.

"Without comprehensive security control assessments, OPM is at increased risk that it may not detect vulnerabilities in its systems," GAO warned.

The Senate Homeland Security and Governmental Affairs Committee publicized the report as a cause for continued congressional oversight.

"I remain concerned that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems," Chairman Ron Johnson (R-Wis.) said in a statement.

"GAO's report details key improvements that must be immediately implemented by the four agencies covered in this report, including OPM," Sen. Susan Collins (R-Maine) said. "The work done by GAO helps to ensure that all our federal networks and databases are properly protected and secured."

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.