Information Security:

Serious Weaknesses Place Critical Federal Operations and Assets at Risk

AIMD-98-92: Published: Sep 23, 1998. Publicly Released: Sep 23, 1998.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed: (1) the effectiveness of federal information security practices based on recently issued audit reports; (2) efforts to centrally oversee and manage federal information security; and (3) actions taken by the Office of Management and Budget (OMB) and the federal Chief Information Officers (CIO) Council to address federal information security problems.

GAO noted that: (1) the expanded amount of audit evidence that has become available since mid-1996 describes widespread and serious weaknesses in the federal government's ability to adequately protect: (a) federal assets from fraud and misuse; (b) sensitive information from inappropriate disclosure; and (c) critical operations, including some affecting public safety, from disruption; (2) significant information security weaknesses were reported in each of the 24 largest federal agencies, with inadequately restricted access to sensitive data being the most widely reported problem; (3) this and the other types of weaknesses identified place critical government operations at great risk of fraud, disruption, and inappropriate disclosures; (4) in addition, many intrusions or other potentially malicious acts could be occurring but going undetected because agencies have not implemented effective controls to identify suspicious activity on their networks and computer systems; (5) agency officials have not instituted procedures for ensuring that risks are fully understood and that controls implemented to mitigate risks are effective; (6) implementing such procedures as part of a proactive, organization-wide security management program is essential in today's interconnected computing environments; (7) similarly, agency performance in this area is not yet being adequately managed from a governmentwide perspective, although some important steps have been taken; (8) the CIO Council, under OMB's leadership, designated information security as a priority area in late 1997 and, since then, has taken some steps to develop a preliminary strategy, promote awareness, and identify ways to improve a federal incident response program; (9) in May 1998, Presidential Decision Directive (PDD) 63 on critical infrastructure protection was issued; (10) PDD 63 acknowledged computer security as a national security risk and established several entities to address critical infrastructure protection, including federal agency information infrastructures; (11) what needs to emerge is a coordinated and comprehensive strategy that incorporates the worthwhile efforts already under way and takes advantage of the expanded amount of evidence that has become available in recent years; and (12) the objectives of such a strategy should be to encourage agency improvement efforts and measure their effectiveness through an appropriate level of oversight.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Enacted in December 2002, the Federal Information Security Management Act of 2002, requires federal departments and agencies to establish information security programs that meet specific requirements and to perform annual reviews and independent evaluations of these programs. OMB has also provided annual reporting guidance to the agencies that include specific performance measures for many of these requirements, and has established overall performance goals for key requirements. For example, one such measure is the percentage of agency systems that have been certified and accredited, a process that helps to ensure controls for an information system meet specified security requirements and that management approves the operation of the system at an acceptable level of risk. And related to this measure, OMB has established an overall performance goal that 80 percent of federal information systems be certified and accredited by the end of fiscal year 2003. In addition, agencies must report the results of their annual security program reviews to OMB and Congress, and OMB must report the overall results of agencies' annual independent evaluations to Congress by March first of each year. These statutory program and reporting requirements, as well as the OMB-established performance measures and goals satisfy the overall intent of this recommendation that federal information security be coordinated under a comprehensive strategy.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should include long-term goals and objectives, including timeframes, priorities, and annual performance goals.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In late 2000, Congress enacted Government Information Security Reform provisions that require annual audits of all agency information systems. In support of this effort, the National Institute of Standards and Technology and the Office of Management and Budget, working with the Chief Information Officers Council, developed the Federal Information Technology Security Assessment Framework and a supporting questionnaire, the Security Self-Assessment Guide for Information Technology Systems (SP 800-26, November 2001) to guide agency efforts. In addition, in mid-2001, the National Institute of Standards and Technology established an "expert review team" to help agencies evaluate the security of their systems. The Office of Management and Budget now requires that the agencies use the security self-assessment guide in performing their Government Information Security Reform reviews. Also, in its July 2002 reporting instructions to the agencies, the Office of Management and Budget specifically encourages that inspector general independent evaluations be a representative sampling of agency systems, which would include both financial and nonfinancial systems.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure that the security of both financial and nonfinancial systems is adequately evaluated on a regular basis.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In June 1999, the Federal CIO Council issued a report entitled "Meeting the Federal IT Workforce Challenge," which included 13 recommendations. The Office of Personnel Management has acted to address many of the recommendations, including revising job titles and standards, and authorizing pay enhancements for information technology workers. Other actions include a scholarship program, focused recruitment efforts, and grants to educational institutions. In addition, Government Information Security Reform legislation enacted in 2000, requires agencies to ensure training for personnel with significant information security responsibilities. While information technology workforce shortages continue, these actions represent significant efforts to address this issue. Accordingly, recognizing that long-term efforts in this area must continue, GAO is closing this recommendation.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure the adequacy of information technology workforce skills.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: During late 1999 and early 2000, the Chief Information Officers Council sponsored an effort to establish a repository of security "best practices," which was led by the Agency for International Development and made available through the Internet. In August 2001, the Chief Information Officers Council recognized the success of the Federal Best Security Practices pilot effort and began steps to see it transitioned to an operational, institutional program. Specifically, the Council asked National Institute of Standards and Technology's Computer Security Division to create a security practices web site. This transition is complete and is now available as "Agency Security Practices" found on National Institute of Standards and Technology's Computer Security Resource Clearinghouse website (http://csrc.nist.gov/). In addition, the National Institute of Standards and Technology has issued a number of information security guidance documents, covering such topics as risk management, intrusion detection systems, and contingency planning. It has also issued a Security Self-Assessment Guide for Information Technology Systems (SP 800-26, November 2001) and an automated version, the Automated Security Self-Evaluation Tool (ASSET).

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should identify and promote proven security tools, techniques, and management best practices.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: Several significant actions have been taken to promote risk awareness. Specifically, the Critical Infrastructure Assurance Office, the Federal Chief Information Officers Council, and Office of Management and Budget have held seminars and urged agencies to gain a more thorough understanding of the risks associated with their use of the Internet, and to more explicitly identify the steps they are taking to ensure the security of their computerized operations. In addition, Government Information Security Reform legislation requires agencies to implement a risk management approach, and the Office of Management and Budget now requires that agencies annually report the number of systems that have received risk assessments. The National Institute of Standards and Technology has also recently issued a guide for federal agencies on risk management (SP 800-30, January 2002).

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should promote information security risk awareness among senior agency officials whose critical operations rely on automated systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: In its February 2002 statutory report to the Congress on Government Information Security Reform, the Office of Management and Budget identified six common government-wide security weaknesses based on its review of reports submitted by the agencies and their inspector generals. Also, the Critical Infrastructure Protection Office, within the Department of Commerce, has developed a methodology--referred to as Project Matrix--for identifying key federal assets and operations that merit strong protection. In its report to Congress, the Office of Management and Budget established a requirement for large federal agencies to undergo a Project Matrix review. These efforts and particularly annual reporting by the Office of Management and Budget to Congress on the results of Government Information Security Reform evaluations should continue to help identify the most significant information security issues facing federal agencies.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should identify and rank the most significant information security issues facing federal agencies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  7. Status: Closed - Implemented

    Comments: In October 2000, Congress enacted Government Information Security Reform provisions that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security. This legislation reinforced the information security oversight role of the Office of Management and Budget by requiring agencies to report the results of an annual independent evaluation of their information security programs and practices to the Office of Management and Budget, which is to submit an annual report to Congress summarizing these results. It also defined responsibilities of other agencies such the Department of Commerce, through the National Institute of Standards and Technology, to develop and issue information security standards and guidance, and the Secretary of Defense and the Director of Central Intelligence to develop and issue standards and guidance for national security systems. In addition, in October 2001, the President issued an executive order establishing the Critical Infrastructure Protection Board, which includes a standing committee for executive branch information systems security, chaired by the Office of Management and Budget.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should clearly delineate the roles of the various federal organizations with responsibilities related to federal information security.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  8. Status: Closed - Implemented

    Comments: In October 2000, Congress enacted Government Information Security Reform legislation that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security, and established new annual review, independent evaluation, and reporting requirements to help ensure agency implementation and oversight by both the Office of Management and Budget and Congress. These provisions require each agency to establish an agency-wide risk-based information security program, implement specific information security requirements, and to conduct an annual program review. In addition, each agency is to have an annual independent evaluation of its information security program and practices performed by the agency inspector general or another independent evaluator. The results of these evaluations are to be reported to the Office of Management and Budget, which is required to submit an annual report to the Congress summarizing the results. In its February 2002 statutory report to Congress on Government Information Security Reform, the Office of Management and Budget reviewed and summarized the reports submitted by the agencies and their inspector generals, and identified six common government-wide security weaknesses. The information security practices and annual evaluation and reporting requirements of the Government Information Security Reform legislation satisfies the overall intent of this recommendation that federal information security be coordinated under a comprehensive strategy. While this legislation expires in November 2002, Congress is considering reauthorization legislation, and the Office of Management and Budget has expressed their commitment to continuing requirements for annual agency evaluation and reporting.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should ensure that executive agencies are carrying out the responsibilities outlined in laws and regulations requiring them to protect the security of their information resources.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  9. Status: Closed - Implemented

    Comments: In October 2000, Congress enacted Government Information Security Reform provisions that consolidated separate information security requirements found in law and guidance into an overall framework for managing information security and established new annual review, independent evaluation, and reporting requirements to help ensure agency implementation and oversight by both the Office of Management and Budget and Congress. These provisions require each agency to conduct an annual program review and to have an annual independent evaluation of its information security program and practices performed by the agency inspector general or another independent evaluator. The results of these evaluations are to be reported to the Office of Management and Budget, which is required to submit an annual report to Congress summarizing the results. In its February 2002 statutory report to Congress on Government Information Security Reform, the Office of Management and Budget reviewed and summarized the reports submitted by the agencies and their inspector generals, and identified six common government-wide security weaknesses. In addition, the Office of Management and Budget is requiring the agencies to prepare and submit corrective action plans and quarterly updates of these plans to monitor correction of information security weaknesses identified in the agency reviews and evaluations.

    Recommendation: The Director, OMB, and the Assistant to the President for National Security Affairs should ensure that the various existing and newly initiated efforts to improve federal information security are coordinated under a comprehensive strategy. Such a strategy should provide for periodically evaluating agency performance from a governmentwide perspective and acting to address shortfalls.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here