Skip to main content

Information Security: FBI Needs to Address Weaknesses in Critical Network

GAO-07-368 Published: Apr 30, 2007. Publicly Released: May 24, 2007.
Jump To:
Skip to Highlights

Highlights

The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a comprehensive inventory of the current network operating environment.
Closed – Implemented
In fiscal year 2011 we verified that FBI developed a comprehensive inventory of the current network operating environment.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network's risk assessment to reflect the current operating environment and ensure that the assessment includes elements required by the FBI Certification & Accreditation Handbook.
Closed – Implemented
In fiscal year 2011 we verified that FBI implemented a network risk assessment that reflected the current operating environment and included elements required by the FBI Certification & Accreditation Handbook.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop technical standards that include guidance for addressing the access control weaknesses identified.
Closed – Implemented
In fiscal year 2011 we verified that FBI developed technical standards that included guidance for addressing the access control weaknesses identified.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network security plan to ensure that it reflects the current operating environment and includes sections required by the FBI Certification & Accreditation Handbook.
Closed – Implemented
In fiscal year 2011 we verified that FBI completed a network security plan that reflected the current operating environment and included sections required by the FBI Certification & Accreditation Handbook.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should ensure that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training as defined by their role.
Closed – Implemented
In fiscal year 2011 we verified that FBI ensured that network users received security awareness training and that users with significant security responsibilities received specialized training as defined by their role.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should provide comprehensive coverage of system testing and scans.
Closed – Implemented
In fiscal year 2011 we verified that FBI provided comprehensive coverage of system testing and scans.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should correct identified weaknesses in a timely manner.
Closed – Implemented
In fiscal year 2011 we verified that FBI corrected identified weaknesses in a timely manner.
Federal Bureau of Investigation To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a continuity of operations plan that addresses the current network environment, and periodically test the plan.
Closed – Implemented
In fiscal year 2011 we verified that FBI developed a continuity of operations plan that addressed the current network environment, and periodically tested the plan.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer networksComputer securityInformation securityInternal controlsLaw enforcement agenciesLaw enforcement information systemsSystems evaluationUnauthorized accessInformation systemsSensitive data