Information Security:

Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses

GAO-07-837: Published: Jul 27, 2007. Publicly Released: Jul 27, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences--such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information--and has identified information security as a governmentwide high-risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. As required by FISMA to report periodically to Congress, in this report GAO discusses the adequacy and effectiveness of agencies' information security policies and practices and agencies' implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general (IG), Office of Management and Budget (OMB), congressional, and GAO reports on information security.

Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information on millions of Americans, thereby exposing them to loss of privacy and identity theft. Almost all of the major federal agencies had weaknesses in one or more areas of information security controls. Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer resources. In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, such as patching key servers and workstations in a timely manner; assign incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; or maintain or test continuity of operations plans for key information systems. An underlying cause for these weaknesses is that agencies have not fully implemented their information security programs. As a result, agencies may not have assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. Nevertheless, federal agencies have continued to report steady progress in implementing certain information security requirements. For fiscal year 2006, agencies generally reported performing various control activities for an increasing percentage of their systems and personnel. However, IGs at several agencies disagreed with the information the agency reported and identified weaknesses in the processes used to implement these activities. Further, although OMB enhanced its reporting instructions to agencies for preparing fiscal year 2006 FISMA reports, the metrics specified in the instructions do not measure how effectively agencies are performing various activities, and there are no requirements to report on a key activity. As a result, reporting may not adequately reflect the status of agency implementation of required information security policies and procedures.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to incorporate, for fiscal year 2010, additional metrics that expanded coverage of the areas agencies and their IGs use to measure the effectiveness of agencies' security postures and efforts to implement FISMA activities.

    Recommendation: Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should develop additional performance metrics that measure the effectiveness of FISMA activities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to request, for fiscal year 2010, that IGs report on the status of several program areas at their agencies, including system test and evaluation, covered in the continuous monitoring section; risk, covered in the certification and accreditation section (security authorization); security training; and incident response and reporting.

    Recommendation: Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should request inspectors general to report on the quality of additional agency information security processes, such as system test and evaluation, risk categorization, security awareness training, and incident reporting.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that OMB revised its FISMA reporting instructions to request, for fiscal year 2010, that the IGs report on agencies' configuration management process, which included agencies' processes for the installation of software patches.

    Recommendation: Because annual reporting is critical to monitoring agencies' implementation of information security requirements, in revising future FISMA reporting guidance the Director of OMB should require agencies to report on a key activity--patch management.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here