Skip to main content

Information Security: Computer Controls over Key Treasury Internet Payment System

GAO-03-837 Published: Jul 30, 2003. Publicly Released: Jul 30, 2003.
Jump To:
Skip to Highlights

Highlights

"Pay.gov" is an Internet portal sponsored and managed by the Department of the Treasury's Financial Management Service (FMS) and operated at three Federal Reserve facilities. Pay.gov is intended to allow the public to make certain non-income-tax-payments to the federal government securely over the Internet. FMS estimates that Pay.gov eventually could annually process 80 million transactions valued at $125 billion annually. Because of the magnitude of transaction volume and dollar value envisioned for Pay.gov, GAO was asked to determine whether FMS (1) conducted a comprehensive security risk assessment and (2) implemented and documented appropriate security measures and controls for the system's protection.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Financial Management Service To ensure the confidentiality, integrity, and availability of the Pay.gov application and computing environment, the FMS Commissioner should direct the Pay.gov program manager to develop and implement an action plan for strenghening Pay.gov computer controls.
Closed – Implemented
In response to GAO's recommendation, as of December 2003 the Department of the Treasury's Financial Management Service developed and followed a Plan of Action and Milestones that has strengthened IT security controls for Pay.gov.
Financial Management Service In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to assess risks for the Pay.gov computing environment.
Closed – Implemented
In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has developed a risk assessment that addresses risks to the Pay.gov computing environment.
Financial Management Service In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to develop technical implementation guidance to (1) assist Pay.gov operating personnel with implementing controls and configuring Pay.gov devices in accordance with strong security practice and (2) document reasons for using less secure configuration settings.
Closed – Implemented
In response to GAO's recommendation, as of May 2005 the Department of the Treasury's Financial Management Service has developed a configuration management plan that addresses configuring Pay.gov devices in accordance with strong security practices and documents configuration settings.
Financial Management Service In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to track and actively coordinate with Pay.gov operating personnel to correct or mitigate known weaknesses and report the status of corrective actions to the FMS Commissioner on a regular basis.
Closed – Implemented
In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has in place Plans of Actions and Milestones that describe its actions to correct or mitigate weaknesses. FMS also provides weekly briefings and reports on the status of corrective actions to the FMS Commissioner.
Financial Management Service In addition, the FMS Commissioner should strengthen management oversight of the Pay.gov initiative by directing the Pay.gov program manager to establish procedures for the proactive review or audit of the configuration settings on Pay.gov devices after installation or maintenance.
Closed – Implemented
In response to GAO's recommendation, as of April 2007 the Department of the Treasury's Financial Management Service has developed a configuration management plan for Pay.gov that contains procedures for reviewing configuration settings on devices when they are installed and when changes occur.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer securityComputer security policiesInformation securityComputer accountsInformation systemsInternal controlsInternetPasswordsRisk assessmentRisk management