Federal Information Systems Remain Highly Vulnerable to Fraudulent, Wasteful, Abusive, and Illegal Practices
MASAD-82-18
Published: Apr 21, 1982. Publicly Released: May 19, 1982.
Skip to Highlights
Highlights
GAO was requested to evaluate the information security programs in the executive agencies. Specifically, GAO was asked to address: (1) whether the Office of Management and Budget (OMB) guidelines, if fully implemented by the executive agencies, provide an acceptable level of protection over information systems; (2) whether the central agencies fulfill their governmentwide information security program responsibilities; (3) what the executive agencies are doing to implement governmentwide information security program policy and guidance; and (4) what the executive agencies must do to achieve a reasonable level of protection over their automated information systems, particularly those using telecommunications networks. An examination was made of the vulnerability of automated information systems in the executive agencies to abusive and unauthorized practices.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director, OMB, should monitor the effectiveness of and agencies' compliance with P.L. 87-847, the Federal Telecommunications Fund, and P.L. 89-306, often called the Brooks Act. |
Closed – Implemented
OMB performs monitoring and uses data calls for current information.
|
| General Services Administration | The Administrator of General Services should completely cross reference OMB, National Bureau of Standards (NBS), and Office of Personnel Management (OPM) information security policies, principles, standards, and guidelines in the Federal Property Management Regulations to eliminate the confusion that presently exists with their use. |
Closed – Implemented
Please call 202/512-6100 for information.
|
| Office of Management and Budget | The Director, OMB, should, through a review of budget proposals, inform the President and Congress of the progress made to develop and maintain a reasonable level of protection over personal, proprietary, and other sensitive information in the executive agencies. |
Closed – Implemented
OMB has taken no action on this item. However, the Administration reviews security budget proposals pursuant to National Security Decision Directive (NSDD) 145, National Policy on Telecommunications and Automated Information Systems, dated September 17, 1984.
|
| Office of Management and Budget | The Director, OMB, should initiate and review proposals for changes in legislative regulations and agency procedures to improve automatic data processing (ADP) and telecommunications practices to ensure a reasonable level of protection over personal, proprietary, and other sensitive information as developed and maintained by the executive agencies. |
Closed – Not Implemented
OMB does not take the recommended action, in the GAO opinion. OMB opposed H.R. 22889, the Computer Security Act of 1986. This recommendation does not warrant further follow-up.
|
| National Bureau of Standards | The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems. |
Closed – Implemented
OMB, GSA, NBS, and OPM work together; however, NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.
|
| Office of Management and Budget | The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems. |
Closed – Implemented
OMB, GSA, NBS, and OPM work together; however, the National Telecommunications and Information Systems Security Committee (NTISSC), formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.
|
| General Services Administration | The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems. |
Closed – Implemented
OMB, GSA, NBS, and OPM work together; however NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.
|
| Office of Personnel Management | The central agencies must work together more cooperatively to coordinate policies, principles, standards, and guidelines for information protection to substantially reduce the vulnerabilities and risks presently associated with executive agencies' automated information systems. |
Closed – Implemented
OMB, GSA, NBS, and OPM work together; however, NTISSC, formed in response to NSDD 145, has taken the lead with respect to selected policies, principles, standards, and guidelines for information security.
|
| Heads of Federal Agencies | The heads of executive departments and agencies should establish internal review audit programs which will periodically evaluate and report on the level of protection actually provided over automated information systems. |
Closed – Implemented
Several agencies established internal review audit programs, but a number of agencies are not in compliance with this recommendation.
|
| Office of Management and Budget | The Director, OMB, should provide advice and guidance on the acquisition and use of ADP and telecommunications equipment and coordinate, through the review of budget proposals and other methods, agency proposals for acquisition and use of such equipment. Implementation of this responsibility combined with a review of agencies' plans for establishing and maintaining a reasonable level of protection over their automated information systems will help ensure implementation of such plans. |
Closed – Implemented
Although OMB has taken no action, NSDD 145 established NTISSC, which is providing advice and guidance through the National Computer Security Center and its standards.
|
| Office of Management and Budget | The Director, OMB, should revise OMB Circular A-71, Transmittal Memorandum 1, to: (1) identify the minimum controls necessary for ensuring a reasonable level of protection over personal, proprietary, and other sensitive information; (2) clarify the interrelationship between Transmittal Memorandum 1 and policy and guidance on safeguarding information classified for purposes of national security; (3) clarify when executive agencies must afford the same level of protection against unauthorized disclosure of personal, proprietary, and other sensitive information as they do to information classified for purposes of national security; and (4) establish policy and specific guidance for achieving a reasonable level of protection over those systems, using telecommunication networks. |
Closed – Implemented
The revision was issued as OMB Circular A-130 on December 12, 1985. However, the A-130 provisions do not cover all of the four points.
|
| Office of Management and Budget | The Director, OMB, should require executive agencies to submit to OMB, for review and approval, new plans for establishing and maintaining a reasonable level of protection over their automated information systems, in accordance with a revised Transmittal Memorandum 1. This includes establishing and maintaining an effective internal evaluation of their automated information security programs. |
Closed – Implemented
NSDD 145 and NTISSC provide some guidance to the executive agencies regarding effective internal evaluation of automated information security programs.
|
| Office of Management and Budget | The Director, OMB, should develop procedures for ensuring executive agencies' implementation of their automated information security program plans. Implementation of these plans should be integrated into the budget process so that major automated information systems are designed, developed, operated, and maintained with a reasonable level of protection. Each system should have a restricted statement of the potential vulnerabilities, the specific security program to be used, and the expected level of risk when the security program is implemented; that is, what vulnerabilities will exist even with the implementation of the security program. |
Closed – Not Implemented
OMB disagreed with this approach because it believes that this recommendation is too costly. A continued follow-up is not warranted.
|
| Office of Management and Budget | The Director, OMB, should fully implement other OMB responsibilities as specified in the Paperwork Reduction Act of 1980, and as they relate to information security programs involving federal ADP systems and telecommunication networks. |
Closed – Implemented
This recommendation is partially completed. OMB issued Circular A-130 on December 12, 1985, which partially addresses this recommendation.
|
| Heads of Federal Agencies | The heads of executive departments and agencies should identify, in accordance with a revised Transmittal Memorandum 1, the vulnerabilities and risks associated with their automated information systems and develop a new plan for establishing a reasonable level of protection over those systems. |
Closed – Implemented
Some agencies are addressing the vulnerabilities and risks and developing new plans for protection of automated information systems. However, other agencies are not complying with this recommendation.
|
| Heads of Federal Agencies | The heads of executive departments and agencies should identify a time schedule and resource requirements for implementing the plan. |
Closed – Implemented
Some agencies are addressing the vulnerabilities and risks and developing new plans for protection of automated information systems. However, other agencies are not complying with this recommendation.
|
| Heads of Federal Agencies | The heads of executive departments and agencies should include, with their next budget request, a report describing the actions taken to implement the plan and to implement recommendations made by the agency internal review group. |
Closed – Implemented
NTISSC prepared two annual reports on the state of executive agency information security. However, the agency heads are only partially implementing this recommendation.
|
| National Bureau of Standards | The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations. |
Closed – Implemented
Please call 202/512-6100 for information.
|
| Office of Management and Budget | The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations. |
Closed – Implemented
Please call 202/512-6100 for information.
|
| Office of Personnel Management | The Directors of OMB, OPM, and NBS should collaborate with the Administrator of General Services to cross reference completely their information security standards and guidelines in the Federal Property Management Regulations. |
Closed – Implemented
Please call 202/512-6100 for information.
|
Full Report
Office of Public Affairs
Topics
Automated security systemsComputer securityExecutive agenciesFraudInformation systemsInternal controlsInformation securityPolicy evaluationStandards evaluationSystems evaluationTelecommunications