Answers to Posthearing Questions
AIMD-99-272R, Aug 9, 1999
Pursuant to a congressional request, GAO responded to congressional questions regarding its June 24, 1999, testimony on the need for stronger information security management, focusing on: (1) the effectiveness of federal agencies' implementation of the 1987 Computer Security Act; (2) what gaps the Presidential Decision Directive (PDD) No. 63 will fill within existing federal programs that would improve the security of federal computer systems; (3) how GAO's Information Security Management guide differ from existing National Institute of Standards Technology (NIST) issued guidelines and bulletins, and how agencies responded to the guidelines; and (4) whether the 1992 information security audits conducted by NIST and National Security Agency (NSA) were effective and useful and whether NIST and NSA should perform these audits on a regular basis.
GAO noted that: (1) while a standards program and some training have been provided, governmentwide computer security has not been achieved, primarily because individual agencies have not taken the steps needed to effectively implement NIST's standards and related guidance; (2) in 1998, GAO analyzed the results of the previous 2-1/2 years' computer security audit reports and found that significant weaknesses were reported for all 24 of the agencies covered by GAO's analysis; (3) these weaknesses placed a broad range of critical operations and assets at great risk of fraud, misuse, and disruption; (4) GAO also reported that, although a number of agencies, councils, and task forces were attempting to improve federal information security by addressing selected issues, there was no governmentwide strategy in this regard; (5) PDD 63 has prompted efforts to develop a national plan, which is expected to address: (a) evaluating and improving agency computer security plans; and (b) developing improved capabilities for detecting and responding to serious computer-based attacks; (6) in addition, PDD 63 recognized the interdependencies among public and private sector entities, especially as they relate to protecting the nation's computer-supported critical infrastructures; (7) in this regard, the Directive initiated efforts to improve public-private sector cooperation; (8) GAO's guide is based on the results of its study of eight nonfederal organizations regarded as having superior computer security programs; (9) as a result of this study, GAO identified a risk management cycle of activity, including 16 specific practices that these organizations told GAO were important to the success of their programs; (10) these practices are consistent with NIST guidance as well as with the Office of Management and Budget (OMB) guidance; (11) in this regard, GAO's guide complements NIST and OMB guidance and should be viewed as a supplement to their publications; (12) agencies, as well as several private sector organizations, have responded very favorably to GAO's guide; (13) representatives from OMB, NIST, and NSA visited 28 agencies in an attempt to gain an overview of the agencies' information security programs, raise awareness of risks, and promote compliance with existing guidance; (14) while reportedly serving their intended purpose, the 1992 visits were not audits because they did not involve direct observation or testing of agency security controls in operation; and (15) to serve as a useful measure of performance, such audits need to be performed periodically so current and past performances can be compared.