Responses to Posthearing Questions
AIMD-00-46R: Published: Nov 30, 1999. Publicly Released: Nov 30, 1999.
Pursuant to a congressional request, GAO responded to questions concerning its October 1999 testimony on the information security weaknesses at 22 federal agencies, focusing on: (1) whether GAO has taken the necessary steps since its previous testimony to ensure that identified security lapses at three agencies were quickly and permanently closed; (2) how agencies are addressing and responding to the security problems; (3) whether there has been enough time since the issuance of Presidential Decision Directive 63 in May 1998 to work out the details of the National Infrastructure Assurance Plan; (4) whether the threat to the nation's critical infrastructures are serious enough to warrant a full-scale and timely effort to develop and institute an action plan for establishing certain safeguards over them; and (5) whether satisfactory steps have been taken to prevent hackers from penetrating sensitive Department of Defense (DOD) systems.
GAO noted that: (1) the agencies generally concurred with GAO recommendations and are taking steps to address the weaknesses; (2) GAO routinely follows up on recommendations made to agencies; (3) GAO has performed several reviews and issued a number of reports related to the status of computer security at the Department of Veterans Affairs (VA); (4) however, although periodic independent reviews are important, agency officials are ultimately responsible for ensuring that effective corrective actions are taken to address security lapses; (5) GAO finds that agencies react to individual audit findings, with little ongoing attention to systemic causes of control weaknesses; (6) as GAO mentioned in its testimony, many agencies have not instituted frameworks for proactively managing the information security risks associated with their operations, which is an underlying cause of poor federal information security; (7) GAO reported that the VA's Austin Automation Center had not established a framework for continually assessing risks and routinely monitoring and evaluating the effectiveness of information system controls; (8) GAO has not investigated the specific reasons for the delays with officials involved in the plan's development; (9) however, based on GAO's limited discussions with officials, GAO believes that the task of developing a comprehensive plan has been more complicated than first expected; (10) while it is important that the plan be issued expeditiously, it is more important that the plan be thoughtfully designed so that it can serve as a means of building consensus and provide a roadmap for action; (11) the risks associated with the nation's reliance on interconnected computer systems are substantial and varied; (12) a significant concern, as GAO reported in October 1999, is that terrorists or hostile foreign states could launch computer-based attacks on critical systems; (13) GAO reported that DOD had initiated some corrective actions to address pervasive information security weaknesses; (14) however, weaknesses in DOD information security continue to provide hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data, which has adversely affected DOD functions; and (15) GAO found that the progress in correcting specific control weaknesses identified during GAO's previous reviews had been inconsistent across the various DOD components involved and that weaknesses persisted in every general control area.