Critical Infrastructure Protection:

Fundamental Improvements Needed to Assure Security of Federal Operations

T-AIMD-00-7: Published: Oct 6, 1999. Publicly Released: Oct 6, 1999.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO discussed the computer security aspects of critical infrastructure protection, focusing on federal agency performance in addressing computer security issues.

GAO noted that: (1) reports issued by GAO and various Inspectors General over the last 5 years describe persistent computer security weaknesses that place federal operations at risk of disruption, fraud, and inappropriate disclosures; (2) GAO's most recent analysis, of reports issued during fiscal year 1999, identified significant computer security weaknesses in 22 of the largest federal agencies; (3) these included weaknesses in: (a) controls over access to sensitive systems and data; (b) controls over software development and changes; and (c) continuity of service plans; (4) this body of audit evidence led GAO, in February 1997 and again in January 1999, to designate information security as a governmentwide high-risk area in reports to Congress; (5) while a number of factors have contributed to weak federal information security, the fundamental underlying problem is poor security program management; (6) weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis; (7) to provide greater assurance that critical infrastructure objectives can be met, GAO believes that actions are needed in seven key areas; (8) it is important that the federal strategy delineate the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; (9) agencies need more specific guidance on the controls that they need to implement; (10) implementing such standards for federal agencies would require developing: (a) a single set of information classification categories for use by all agencies to define the criticality and sensitivity of the various types of information they maintain; and (b) minimum mandatory requirements for protecting information in each classification category; (11) routine periodic audits must be implemented to allow for meaningful performance measurement; (12) it is important for agencies to have the technical expertise they need to select, implement, and maintain controls that protect their computer systems; (13) agencies must have resources sufficient to support their computer security and infrastructure protection activities; and (14) there is a need to more comprehensively monitor and develop responses to intrusions, viruses, and other incidents that threaten federal systems.

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here