RealTime IT News

Lieberman Raps Federal IT Security Systems

Federal agencies are failing at implementing effective information security policies and practices and Sen. Joe Lieberman (D-Conn.) wants something done about it. Lieberman is the author of the E-Gov Act requiring annual reports on federal agencies' security practices.

His comments come in the wake of the most recent Government Accountability Office (GAO) report finding pervasive weaknesses in almost all areas of information security controls at 24 major agencies.

"Protecting federal computer systems and the systems that support critical infrastructures has never been more important due to the emergence of new and more destructive attacks," Lieberman said in a statement. "Consequently, it is imperative that federal agencies improve information security."

Of the 24 federal agencies it audited, the GAO study found five major areas of weaknesses including access controls, software change controls, segregation of duties, continuity of operations planning and agency-wide security programs.

The Departments of Defense, Homeland Security, Commerce, Transportation, Justice and Interior, the GAO states, have weaknesses in all five areas. The law requires each agency to have policies and procedures that ensure compliance with minimally acceptable system configuration requirements, as determined by the agency.

The report states, "As a result [of the deficiencies], federal operations and assets are at increased risk of fraud, misuse, and destruction and these weakness place financial data at risk of unauthorized modification or destruction."

It added, "These weaknesses place financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption."

Lieberman's E-government Act, which was signed into law in 2002, includes the Federal Information Security Management Act (FISMA), a toughened up version of the Government Information Security Reform Act that he had originally coauthored in 2000. The law establishes guidelines for computer security throughout the federal government and provides for oversight by both the Congress and the Office of Management and Budget.