Government auditor paints grim picture of security in federal agencies

Computerworld - Despite some progress, a majority of federal government agencies still have significant weaknesses in their information security controls, according to a report released by the Government Accountability Office (GAO) Thursday.

As a result, the confidentiality, integrity and availability of critical information and information systems is in jeopardy governmentwide, the report said, in a grim assessment of the state of information security across federal agencies.

"Almost all of the major federal agencies had weaknesses in one or more areas of information security controls," said Gregory Wilshusen, the GAO’s director of information security issues, in testimony submitted to the  House Committee on Oversight and Government Reform.

According to Wilshusen's testimony, "Most agencies did not implement controls to sufficiently prevent, limit or detect access to computer networks, systems or information."

The GAO’s 33-page report was based on input on the state of security within each agency during 2006 from the inspectors general of 24 major federal agencies. According to the report, several agencies reported making progress in certain areas, such as security awareness training for employees and contractors. 

The percentage of systems that were being tested and evaluated on an annual basis has also increased, as has the number of systems with tested contingency plans and systems that have been certified and accredited as being secure, the report said.

These achievements, however, were overshadowed by what the GAO described as major holes in several key security areas. These included access controls for ensuring that only authorized personnel had access to critical data, configuration management controls to prevent unauthorized software from running on government systems, segregation of duties and business continuity planning. Most agencies also did not have any formal information security management program in place for understanding risks and putting in place controls for addressing those risks.

The "persistent weaknesses" in each of these areas contributed to a spate of serious security breaches across multiple agencies during 2006, the GAO reported. The breaches mentioned in the report included the compromise at the Department of Veterans Affairs, which resulted in the potential exposure of personal data belonging to over 26 million veterans. Also mentioned in the report was a laptop theft from the Centers for Medicare and Medicaid Services, which potentially compromised personal records of nearly 50,000 individuals; another at The Department of Agriculture, which accidentally posted on a public Web site personal data on about 39,700 people; and a third at the Transportation Security Administration involving approximately 100,000 employee records.

"The breakthrough at yesterday's hearing was the end of resistance to the idea that FISMA is fatally flawed," said Alan Paller, director of research at the SANS Institute in Bethesda, Md. "That was the read-between-the-lines conclusion from the GAO report."

Paller was referring to the Federal Information Security Management Act, which specifies controls that all major federal agencies are required to follow. The directive has been receiving increasing criticism from several quarters, since many see it as only a bureaucratic exercise that adds little substance to federal information security efforts.