5 things agencies get wrong about infosec

What: A Government Accountability Office report on persistent info security weaknesses at federal agencies

Why: Despite the Federal Information Security Management Act of 2002, which requires agencies to put cybersecurity programs in place to protect their IT and data, two dozen federal agencies still have persistent weaknesses in information security, according to the Sept. 29 GAO report.

In its report, GAO said protections at federal agency remain mixed. The report said that although most agencies had developed and documented policies and procedures for managing risk, providing security training, and taking remedial actions, among other things, each agency's inspector general reported weaknesses in the processes used to implement FISMA requirements.

The report said most agencies continue to have weaknesses in five areas:

-Limiting, preventing, and detecting inappropriate access to computer resources.

-Managing the configuration of software and hardware.

-Segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation.

-Planning for continuity of operations in the event of a disaster or disruption.

-Implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.

The weaknesses, GAO said, expose critical information and IT systems that support federal operations, assets and personnel at risk, as well as damage agencies’ efforts to fully implement effective information security programs. GAO and agency inspectors general have made "hundreds of recommendations to agencies" about how to address gaps in information security controls and weaknesses in their programs, but many of the recommendations remain unimplemented.

Sen.Tom Carper (D-Del.), ranking member of the Homeland Security and Government Affairs Committee and a co-sponsor of the 2014 update to the FISMA legislation wasn't pleased with the latest GAO report, calling the results "disappointing." But he found a silver lining because the GAO's audit took place before the FISMA update.

The senator said the revised version of FISMA better delineated the roles and responsibilities of the Office of Management and Budget and the Department of Homeland Security in securing federal networks, and moved agencies away from paperwork-heavy processes toward real-time and automated security, as well as put greater management and oversight attention on data breaches.

Carper added that his newly-introduced legislation, the Federal Cybersecurity Enhancement Act of 2015, would help by requiring agencies to adopt key cybersecurity practices and tools, including DHS' Einstein cyber intrusion detection and prevention system, as well as mandate the deployment of cybersecurity best practices at agencies -- such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls.

Verbatim:"The number of information security incidents affecting systems supporting the federal government has continued to increase. Since fiscal year 2006, the number rose from 5,503 to 67,168 in fiscal year 2014: an increase of 1,121 percent."