The Government Accountability Office (GAO) found 24 agencies had persistent weaknesses in effectively applying information security policies and practices, according to a report released late last month.
In a Sept. 29 report to congressional committees, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs, the GAO discovered most agencies continue to have weaknesses in five information security areas that place critical information and systems used to support the operations, assets, and personnel of certain agencies at risk. These deficiencies can also impair the agencies’ efforts to fully implement effective information security programs.
The five weak areas include limiting preventing and detecting inappropriate access to computer resources; managing the configuration of software and hardware; segregating duties to ensure a single individual does not have control over all key aspects of a computer-related operation; planning for continuity of operations in the event of a disaster/disruption; and implementing agency-wide security management programs critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.
The GAO completed and submitted this report to Congress because the Federal Information Security Management Act (FISMA) of 2002 included a provision for the office to periodically report to Congress on agency implementation on the act’s provisions. FISMA 2002 established information security program and evaluation requirements for federal agencies and assigned some specific responsibilities to the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST).
This report’s objectives were to evaluate both the adequacy and effectiveness of agencies’ information security and practices and federal agencies’ implementation of FISMA 2002 requirements. The GAO also compared FISMA 2002 requirements with those updated in the Federal Information Security Modernization Act of 2014 (FISMA 2014).
The 24 agencies the GAO reviewed were those covered by the Chief Financial Officers Act of 1990. This group includes the Departments of Defense, Homeland Security, State, Treasury, Justice, Commerce, and Veterans Affairs as well as the Office of Personnel Management, General Services Administration, NASA, Nuclear Regulatory Commission, and Small Business Administration.
The office recommends the Director of the Office of Management and Budget, “in consultation with the Secretary of Homeland Security, the Chief Information Officers Council, and the Council of the Inspectors General on Integrity and Efficiency, enhance reporting guidance to the inspectors general for all rating components of agency security programs, such as configuration management and risk management, so that the ratings will be consistent and comparable.”
Although previous reports from both the GAO and agency inspectors general made hundreds of recommendations to address such deficiencies, many of the recommendations have still not been implemented, the report said.
The office highlighted the number of information security incidents affecting systems supporting the federal government increased through 2014. “Since fiscal year 2006, the number rose from 5,503 to 67,168 in fiscal year 2014: an increase of 1,121 percent,” the report said.
The number of incidents involving personally identifiable information (PII) also doubled in recent years, from 10,481 in 2009 to 27,624 in 2014, GAO said. Of the reported 2014 cyber incidents, the most widely reported type was scans/probes/attempted access. This kind of incident can involve identifying a federal agency computer, open ports, protocols, service, or any combination of them for a future exploit. This kind of incident includes the OPM breaches, GAO said.
“Federal agencies’ information and systems remain at a high risk of unauthorized access, use, disclosure, modification, and disruption. These risks are illustrated by the wide array of cyber threats, an increasing number of cyber incidents, and breaches of PII occurring at federal agencies,” the report said.
“Until agencies correct longstanding control deficiencies and address the hundreds of recommendations that we and agency inspectors general have made, federal systems will remain at increased and unnecessary risk of attack or compromise,” it added.
OMB generally concurred with the report’s recommendation, the GAO noted.