GAO: Federal Systems Security Still Lacking

The good news: Federal agencies are making progress in implementing stronger information security regimes. The bad news: It hasn’t helped much.

A new report released Friday by the general Accountability Office (GAO)

states that “overall” agencies are improving their systems security, but

“pervasive weaknesses” still plague agencies and threaten the “integrity,

confidentiality and availability” of federal information systems.

In addition, the GAO report states the weaknesses place financial data at

risk of unauthorized modification or destruction, sensitive information at

risk of inappropriate disclosure and critical operations at risk of

disruption.

According to the GAO, the weaknesses exist because agencies have not yet

fully implemented the security measures mandated by the 2002 Federal

Information Security Management Act (FISMA).

“As a result, federal operations and assets are at increased risk of fraud,

misuse and destruction,” the GAO report states. “In addition, these

weaknesses place financial data at risk of unauthorized modification or

destruction, sensitive information at risk of inappropriate disclosure and

critical operations at risk of disruption.”

Of the 24 federal agencies it audited, the GAO study found five major areas

of weaknesses including access controls, software change controls,

segregation of duties, continuity of operations planning and agency-wide

security programs.

The Departments of Defense, Homeland Security, Commerce, Transportation,

Justice and Interior, the GAO states, have weaknesses in all five areas.

FISMA requires each agency to have policies and procedures that ensure

compliance with minimally acceptable system configuration requirements, as

determined by the agency.

In fiscal year 2004, for the first time, agencies reported on the degree to

which they had implemented security configurations for specific operating

systems and software applications.

“Our analysis of the 2004 agency FISMA reports found that 20 agencies

reported that they had implemented agency-wide policies containing detailed,

specific system configurations,” the report states. “However, these agencies

did not necessarily have minimally acceptable system configuration

requirements for operating systems and software applications that they were

running.”

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee,

said in a statement, “The FISMA process is not a perfect one. I think it

provides the agencies with a strong management framework, but I recognize

that it is not a panacea; there may be a need for amendments to facilitate

implementation of the security concepts that drive FISMA.”

To shore up security at federal agencies, the GAO recommended that the

Office of Management and Budget (OMB) implement improvements in reporting

guidance.

“Some FISMA requirements are not specifically being addressed through these

means, such as reporting on risk assessments, subordinate security plans,

security incident detection and response activities, and whether weaknesses

are mitigated,” the report states.

Davis, whose committee oversees federal agency operations, added, “The FISMA

process is still a young one; as it matures, the guidance will go through

growing pains and require further changes. Given the ever-evolving nature of

cyber threats, complacency is not an option.”

News Around the Web