Information Security:

Agencies Need to Improve Controls over Selected High-Impact Systems

GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.

Government entities have provided guidance and established initiatives and services to aid agencies in protecting their systems, including those categorized as high impact. The National Institute of Standards and Technology has prescribed federal standards for minimum security requirements and guidance on security and privacy controls for high-impact systems, including 83 controls specific to such systems. The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.

The National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), Office of Personnel Management (OPM), and Department of Veterans Affairs (VA) had implemented numerous controls over the eight high-impact systems GAO reviewed. For example, all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs, as shown in the table.

Agency Implementation of Key Information Security Program Elements for Selected Systems

 

NASA

NRC

OPM

VA

Risk assessments

Security plans

Controls assessments

Remedial action plans

Source: GAO analysis of agency documentation. | GAO-16-501

Note: ● – Met ◐– Partially met ○ – Did not meet

Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption.

Why GAO Did This Study

Federal systems categorized as high impact—those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm—warrant increased security to protect them. In this report, GAO (1) describes the extent to which agencies have identified cyber threats and have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect these systems, and (3) assesses the effectiveness of controls to protect selected high-impact systems at federal agencies. To do this, GAO surveyed 24 federal agencies; examined federal policies, standards, guidelines and reports; and interviewed agency officials. In addition, GAO tested and evaluated the security controls over eight high-impact systems at four agencies.

What GAO Recommends

GAO recommends that OMB complete its plans and practices for securing federal systems and that NASA, NRC, OPM, and VA fully implement key elements of their information security programs. The agencies generally concurred with GAO's recommendations, with the exception of OPM. OPM did not concur with the recommendation regarding evaluating security control assessments. GAO continues to believe the recommendation is warranted.

In separate reports with limited distribution, GAO is making specific recommendations to each of the four agencies to mitigate identified weaknesses in access controls, patch management, and contingency planning.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Office of Management and Budget generally concurred with this recommendation. In fiscal year 2016 we verified that OMB issued an updated Circular A-130 on July 28, 2016.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue Circular A-130.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Priority recommendation

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. In fiscal year 2016 we verified that NASA, in response to the recommendation, provides through its training system a catalog of NASA-sponsored learning opportunities and links to externally sponsored opportunities. Additionally, NASA uses this system to track individuals' training plans and compliance.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Open

    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. Subsequent to NASA informing us that security assessment plans for selected systems include these test procedures, we plan to verify the agency's actions.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Open

    Priority recommendation

    Comments: NASA concurred with our recommendation, and will re-evaluate the selected systems' security control assessments to ensure that technical controls will be comprehensively tested. NASA officials said that they expect to complete this action by January 15, 2018. Subsequent to NASA informing us that it has implemented the recommendation, we plan to verify the agency's actions.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Open

    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has implemented a system that generates plans of actions and milestones (POA&Ms), but has not yet provided sufficient examples of remedial action plans for the selected systems. Subsequent to NASA informing us that it has updated POA&Ms for the selected systems to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates, we plan to verify these actions.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Open

    Priority recommendation

    Comments: NASA concurred with our recommendation. The agency has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. Subsequent to NASA informing us that the strategy includes metrics, ongoing status monitoring of metrics, and reporting of security status, we plan to verify these actions.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2017 we verified that NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to update security plans to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2017 we also verified that NRC, in response to our recommendation, issued an updated system security plan for the other high-impact system that we reviewed. This plan addresses all controls specific to high-impact systems and offers explanations for those instances where a control is not implemented.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Nuclear Regulatory Commission

  8. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2016 we verified that NRC, in response to our recommendation, is providing specialized security training for staff with significant security responsibilities in information technology, is defining training requirements, and is tracking compliance.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Nuclear Regulatory Commission

  9. Status: Open

    Comments: NRC concurred with our recommendation. NRC supplied documents regarding its cybersecurity assessment process, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Nuclear Regulatory Commission

  10. Status: Open

    Comments: NRC concurred with our recommendation. The agency provided evidence that it is including the responsible organization and scheduled completion dates in its plans of action and milestones (POA&Ms). While the estimated funding and source of funding do not appear in the POA&Ms, the agency has indicated that this data is available elsewhere. We are following up with NRC to verify this information.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency Affected: Nuclear Regulatory Commission

  11. Status: Open

    Comments: NRC concurred with our recommendation. The agency expects to publish a revised computer security standard in 2018.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency Affected: Nuclear Regulatory Commission

  12. Status: Open

    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency Affected: Office of Personnel Management

  13. Status: Open

    Priority recommendation

    Comments: OPM partially concurred with our recommendation. OPM is in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency Affected: Office of Personnel Management

  14. Status: Open

    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Office of Personnel Management

  15. Status: Open

    Comments: OPM concurred with our recommendation. OPM is in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency Affected: Office of Personnel Management

  16. Status: Open

    Comments: VA concurred with our recommendation. VA stated that all high-impact security controls have been addressed, and the agency expects to include all controls in one plan. Subsequent to the agency informing us that it has implemented the recommendation, we plan to verify its actions.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Department of Veterans Affairs

  17. Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is tracking specialized training for staff who have significant security responsibilities. GAO plans to request further documentation and verify the completeness of VA's actions.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Department of Veterans Affairs

  18. Status: Open

    Comments: VA concurred with our recommendation. VA has assessed technical controls, but has not yet provided evidence of re-evaluating assessments to ensure that technical controls were comprehensively tested.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency Affected: Department of Veterans Affairs

  19. Status: Open

    Comments: VA concurred with our recommendation. VA provided limited evidence that it is including more information in its remedial action plans for selected systems, but did not demonstrate that it is including estimated funding and funding sources in these plans.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency Affected: Department of Veterans Affairs

  20. Status: Open

    Comments: VA concurred with our recommendation. VA is developing a new framework to address the people, processes, technology, and performance monitoring mechanisms identified in the Information Security Continuous Monitoring (ISCM) Maturity Model. This framework and supporting program plan are linked to the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) phase 1 deployment that is ongoing and anticipated to be completed by the fourth quarter of 2017. VA's ISCM program plan and framework have been delayed to accommodate these changes.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: Department of Veterans Affairs

  21. Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. In addition OMB provided limited access to a document describing best practices for federal security operation centers. GAO is requesting further access to this document on best practices in order to determine whether OMB has adequately addressed the recommendation.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Sep 29, 2016

Looking for more? Browse all our products here