Information Technology:

Federal Information Systems Remain Highly Vulnerable to Fraudulent, Wasteful, Abusive, and Illegal Practices

MASAD-82-18: Published: Apr 21, 1982. Publicly Released: May 19, 1982.

Contact:

Thomas P. Giammo
(202) 275-3195
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO was requested to evaluate the information security programs in the executive agencies. Specifically, GAO was asked to address: (1) whether the Office of Management and Budget (OMB) guidelines, if fully implemented by the executive agencies, provide an acceptable level of protection over information systems; (2) whether the central agencies fulfill their governmentwide information security program responsibilities; (3) what the executive agencies are doing to implement governmentwide information security program policy and guidance; and (4) what the executive agencies must do to achieve a reasonable level of protection over their automated information systems, particularly those using telecommunications networks. An examination was made of the vulnerability of automated information systems in the executive agencies to abusive and unauthorized practices.

GAO found that: (1) OMB Circular A-71 was not sufficiently comprehensive to provide needed policy and guidance to executive agencies for establishing reasonable levels of protection; (2) the central agencies have not fulfilled their automated information security program responsibilities; (3) executive agencies are doing little to implement information security program policy and guidance; and (4) executive agencies have not developed and maintained a total system of controls to eliminate the fraudulent, wasteful, abusive, and illegal practices to which their automated information systems have been and are being subjected. These conditions have precluded the establishment and maintenance of a reasonable level of protection over automated information systems used by executive agencies. GAO noted the following specific problems: (1) deficiencies in OMB Circular A-71 have left some executive agencies confused as to the nature and extent to which it should be implemented and its application to the automated systems; (2) the ineffective information security programs of the central agencies have been a primary contributing factor to the continuing vulnerability of the automated information systems in the executive agencies; and (3) the increasing federal investments in automated information systems have resulted in growing vulnerability to fraudulent, wasteful, abusive, and illegal practices because greater concentrations of information are accessible from remote terminals.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The heads of executive departments and agencies should establish internal review audit programs which will periodically evaluate and report on the level of protection actually provided over automated information systems.

    Agency Affected: Department of Commerce: National Bureau of Standards

    Status: Closed - Implemented

    Comments: Several agencies established internal review audit programs, but a number of agencies are not in compliance with this recommendation.

    Recommendation: The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: OMB, GSA, NBS, and OPM work together; however, the National Telecommunications and Information Systems Security Committee (NTISSC), formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.

    Recommendation: The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems.

    Agency Affected: Department of Commerce: National Bureau of Standards

    Status: Closed - Implemented

    Comments: OMB, GSA, NBS, and OPM work together; however, NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.

    Recommendation: The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems.

    Agency Affected: Office of Personnel Management

    Status: Closed - Implemented

    Comments: OMB, GSA, NBS, and OPM work together; however NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.

    Recommendation: The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems.

    Agency Affected: Department of Commerce: National Bureau of Standards

    Status: Closed - Implemented

    Comments: OMB, GSA, NBS, and OPM work together; however, NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.

    Recommendation: The Director, OMB, should initiate and review proposals for changes in legislative regulations and agency procedures to improve automatic data processing (ADP) and telecommunications practices to ensure a reasonable level of protection over personal, proprietary, and other sensitive information as developed and maintained by the executive agencies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Not Implemented

    Comments: OMB does not take the recommended action, in the GAO opinion. OMB opposed H.R. 22889, the Computer Security Act of 1986. This recommendation does not warrant further follow-up.

    Recommendation: The Director, OMB, should, through a review of budget proposals, inform the President and Congress of the progress made to develop and maintain a reasonable level of protection over personal, proprietary, and other sensitive information in the executive agencies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: OMB has taken no action on this item. However, the Administration reviews security budget proposals pursuant to National Security Decision Directive (NSDD) 145, National Policy on Telecommunications and Automated Information Systems, dated September 17, 1984.

    Recommendation: The Administrator of General Services should completely cross reference OMB, National Bureau of Standards (NBS), and Office of Personnel Management (OPM) information security policies, principles, standards, and guidelines in the Federal Property Management Regulations to eliminate the confusion that presently exists with their use.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director, OMB, should provide advice and guidance on the acquisition and use of ADP and telecommunications equipment and coordinate, through the review of budget proposals and other methods, agency proposals for acquisition and use of such equipment. Implementation of this responsibility combined with a review of agencies' plans for establishing and maintaining a reasonable level of protection over their automated information systems will help ensure implementation of such plans.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: Although OMB has taken no action, NSDD 145 established NTISSC, which is providing advice and guidance through the National Computer Security Center and its standards.

    Recommendation: The Director, OMB, should revise OMB Circular A-71, Transmittal Memorandum 1, to: (1) identify the minimum controls necessary for ensuring a reasonable level of protection over personal, proprietary, and other sensitive information; (2) clarify the interrelationship between Transmittal Memorandum 1 and policy and guidance on safeguarding information classified for purposes of national security; (3) clarify when executive agencies must afford the same level of protection against unauthorized disclosure of personal, proprietary, and other sensitive information as they do to information classified for purposes of national security; and (4) establish policy and specific guidance for achieving a reasonable level of protection over those systems, using telecommunication networks.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: The revision was issued as OMB Circular A-130 on December 12, 1985. However, the A-130 provisions do not cover all of the four points.

    Recommendation: The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations.

    Agency Affected: Heads of Federal Agencies

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations.

    Agency Affected: Heads of Federal Agencies

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The heads of executive departments and agencies should include, with their next budget request, a report describing the actions taken to implement the plan and to implement recommendations made by the agency internal review group.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: NTISSC prepared two annual reports on the state of executive agency information security. However, the agency heads are only partially implementing this recommendation.

    Recommendation: The heads of executive departments and agencies should identify a time schedule and resource requirements for implementing the plan.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: Some agencies are addressing the vulnerabilities and risks and developing new plans for protection of automated information systems. However, other agencies are not complying with this recommendation.

    Recommendation: The heads of executive departments and agencies should identify, in accordance with a revised Transmittal Memorandum 1, the vulnerabilities and risks associated with their automated information systems and develop a new plan for establishing a reasonable level of protection over those systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: Some agencies are addressing the vulnerabilities and risks and developing new plans for protection of automated information systems. However, other agencies are not complying with this recommendation.

    Recommendation: The Director, OMB, should fully implement other OMB responsibilities as specified in the Paperwork Reduction Act of 1980, and as they relate to information security programs involving federal ADP systems and telecommunication networks.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: This recommendation is partially completed. OMB issued Circular A-130 on December 12, 1985, which partially addresses this recommendation.

    Recommendation: The Director, OMB, should develop procedures for ensuring executive agencies' implementation of their automated information security program plans. Implementation of these plans should be integrated into the budget process so that major automated information systems are designed, developed, operated, and maintained with a reasonable level of protection. Each system should have a restricted statement of the potential vulnerabilities, the specific security program to be used, and the expected level of risk when the security program is implemented; that is, what vulnerabilities will exist even with the implementation of the security program.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Not Implemented

    Comments: OMB disagreed with this approach because it believes that this recommendation is too costly. A continued follow-up is not warranted.

    Recommendation: The Director, OMB, should require executive agencies to submit to OMB, for review and approval, new plans for establishing and maintaining a reasonable level of protection over their automated information systems, in accordance with a revised Transmittal Memorandum 1. This includes establishing and maintaining an effective internal evaluation of their automated information security programs.

    Agency Affected: Heads of Federal Agencies

    Status: Closed - Implemented

    Comments: NSDD 145 and NTISSC provide some guidance to the executive agencies regarding effective internal evaluation of automated information security programs.

    Recommendation: The Director, OMB, should monitor the effectiveness of and agencies' compliance with P.L. 87-847, the Federal Telecommunications Fund, and P.L. 89-306, often called the Brooks Act.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: OMB performs monitoring and uses data calls for current information.

    Apr 2, 2014

    Feb 26, 2014

    Feb 12, 2014

    Jan 13, 2014

    Nov 13, 2013

    Nov 6, 2013

    Sep 12, 2013

    Sep 11, 2013

    Looking for more? Browse all our products here