Government auditor paints grim picture of security in federal agencies
Majority of agencies still significantly weak; GAO is not amused
June 8, 2007 12:00 PM ETComputerworld - Despite some progress, a majority of federal government agencies still have significant weaknesses in their information security controls, according to a report released by the Government Accountability Office (GAO) Thursday.
As a result, the confidentiality, integrity and availability of critical information and information systems is in jeopardy governmentwide, the report said, in a grim assessment of the state of information security across federal agencies.
"Almost all of the major federal agencies had weaknesses in one or more areas of information security controls," said Gregory Wilshusen, the GAO’s director of information security issues, in testimony submitted to the House Committee on Oversight and Government Reform.
According to Wilshusen's testimony, "Most agencies did not implement controls to sufficiently prevent, limit or detect access to computer networks, systems or information."
The GAO’s 33-page report was based on input on the state of security within each agency during 2006 from the inspectors general of 24 major federal agencies. According to the report, several agencies reported making progress in certain areas, such as security awareness training for employees and contractors.
The percentage of systems that were being tested and evaluated on an annual basis has also increased, as has the number of systems with tested contingency plans and systems that have been certified and accredited as being secure, the report said.
These achievements, however, were overshadowed by what the GAO described as major holes in several key security areas. These included access controls for ensuring that only authorized personnel had access to critical data, configuration management controls to prevent unauthorized software from running on government systems, segregation of duties and business continuity planning. Most agencies also did not have any formal information security management program in place for understanding risks and putting in place controls for addressing those risks.
The "persistent weaknesses" in each of these areas contributed to a spate of serious security breaches across multiple agencies during 2006, the GAO reported. The breaches mentioned in the report included the compromise at the Department of Veterans Affairs, which resulted in the potential exposure of personal data belonging to over 26 million veterans. Also mentioned in the report was a laptop theft from the Centers for Medicare and Medicaid Services, which potentially compromised personal records of nearly 50,000 individuals; another at The Department of Agriculture, which accidentally posted on a public Web site personal data on about 39,700 people; and a third at the Transportation Security Administration involving approximately 100,000 employee records.
"The breakthrough at yesterday's hearing was the end of resistance to the idea that FISMA is fatally flawed," said Alan Paller, director of research at the SANS Institute in Bethesda, Md. "That was the read-between-the-lines conclusion from the GAO report."
Paller was referring to the Federal Information Security Management Act, which specifies controls that all major federal agencies are required to follow. The directive has been receiving increasing criticism from several quarters, since many see it as only a bureaucratic exercise that adds little substance to federal information security efforts.
general accounting office
Additional Resources



White Papers & Webcasts
PCI DSS Compliance in the UNIX/Linux Datacenter Environment
Download this complimentary white paper today! Provided by BeyondTrust.
Preventing Data Breaches in Privileged Accounts Using Access Control
To learn how using access control can protect your organization, download this white paper today!
Achiving Compliance Through Good Governance
Watch this complimentary video today!
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
FISMA Prescriptive Guide
A Tactical Guide Enabling you to take Action and Achieve Operational Excellence
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
Discover how to make SOX efforts more effective today!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
