The Proposed Computer Security Enhancement Act of 1999
T-AIMD-99-302, Sep 30, 1999
Pursuant to a congressional request, GAO discussed the proposed Computer Security Enhancement Act of 1999 (H.R. 2413), focusing on: (1) the urgent need to strengthen computer security across the federal government; (2) the current and future privacy concerns with any computer security legislation; (3) GAO's views on the proposed act; and (4) what can be done to further strengthen security program management at individual agencies as well as governmentwide leadership, coordination, and oversight.
GAO noted that: (1) the dramatic increase of computer interconnectivity and the popularity of the Internet, while facilitating access to information, are factors that also make it easier for individuals and groups with malicious intentions to intrude into inadequately protected systems and use such access to obtain sensitive information, commit fraud, or disrupt operations; (2) attacks on and misuse of federal computer and telecommunications resources are of increasing concern because these resources are virtually indispensable for carrying out critical operations and protecting sensitive data and assets; (3) the need to protect sensitive data and systems must be weighed not only against cost and feasibility concerns but also the privacy and security interests of individual citizens, private businesses, as well as national security and law enforcement agencies; (4) while information vulnerabilities cannot be eliminated through the use of any single tool, cryptography can help businesses ensure the confidentiality and integrity of information in transit and storage and verify the asserted identity of individuals and computer systems; (5) the proposed act particularly focuses on the role the National Institute of Standards and Technology (NIST) plays in assisting federal agencies to protect their systems and promote technology solutions to security protection based on private sector offerings; (6) it is important to recognize that there is no legislative substitute that could be put in place to provide the increased management attention and due diligence necessary to implement and ensure the effectiveness of information security controls; (7) it is also important to ensure that NIST retain the ability to develop security standards for unclassified data and decide which industry standards are appropriate for federal agencies, and that agencies themselves consistently implement such standards; and (8) Congress needs to consider stronger measures that would ensure that executive agencies are: (a) carrying out their responsibilities outlined in laws and regulations requiring them to protect their information resources; (b) identifying and ranking the most significant information security issues facing federal agencies; (c) promoting information security risk awareness among senior agency officials whose critical operations rely on automated systems; (d) strengthening information technology workforce skills; (e) evaluating the security of systems on a regular basis; and (f) providing for periodically evaluating agency performance from a governmentwide perspective and acting to address shortfalls.