From the U.S. Government Accountability Office, www.gao.gov Transcript for: Federal Information Security Weaknesses Description: Federal agency information systems collect and hold a massive amount of data, from tax records to contract paperwork to classified information. So what policies and practices are government agencies using to keep the information it collects secure? Related GAO Work: GAO-17-549: Federal Information Security: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices Released: September 2017 [Background Music] [ Greg Wilshusen: ] Information security is first and foremost a management issue. [Background Music] [ Jacques Arsenault: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Jacques Arsenault. GAO first designated federal information security as a high-risk area 20 years ago. The Federal Information Security Management Act, or FISMA, was developed in 2002 and required agencies to establish security programs. I sat down with Greg Wilshusen, a director in our Information Technology team, to talk about GAO's new report on federal information security policies and practices. If you're like me, you might be wondering what the phrase, federal information security, means. I asked Greg to explain its use to me. [ Greg Wilshusen: ] The term, federal information security, simply means protecting the information and information systems of an agency against unauthorized use, disclosure, access, disruption, modification, and destruction in order to preserve the confidentiality, integrity, and availability of the information and information systems. And to do this, federal agencies are required, under law, to develop, document, and implement an agency-wide information security program that is intended to protect the security over the information and information system, supporting either the operations and/or the assets of that agency. And this is very important, because federal agencies maintain and collect huge stores of very sensitive information, to include personally-identifiable information, such as those that are provided in tax returns maintained by the IRS to Medicare claims and others that might be maintained by the Department of Health and Human Services to also other information that can have an impact on national security and economic well-being if they were compromised in some fashion. [ Jacques Arsenault: ] So the agencies all have these information security programs. Do we know, are they effective? [ Greg Wilshusen: ] Well, unfortunately, they are not. Our work and the work of agency IG's have consistently found significant vulnerabilities in the information security programs, and, indeed, the controls, the policies and practices employed by agencies that are intended to protect their information and information systems. [ Jacques Arsenault: ] And so it sounds like there are definitely some problems that go across agencies and certainly within. What are some of the policies and practices that they are using, though, currently? [ Greg Wilshusen: ] Well, they use many of the policies and practices that have been prescribed by the National Institute of Standards and Technologies, and also that are prescribed in law, in accordance with FISMA, the Federal Information Security Modernization Act of 2014. However, what we're finding is that they're not effectively and consistently implementing those practices over a period of time across the entire enterprise. And so what that means, and some of the specifics might be, for example, that agencies have procedures to install patches on their software where known vulnerabilities exist, but we found that often agencies do not implement those patches in a timely manner. And that is really a critical vulnerability since many cyber attacks are facilitated by the lack of patches being installed on those systems. You know, very similar to the Equifax breach, which has been in the news recently. [Background Music] [ Jacques Arsenault: ] Given the need for these information security improvements, I asked Greg to walk me through his team's recommendations for these programs. [ Greg Wilshusen: ] Over the years, GAO has made hundreds of recommendations to federal agencies to take corrective actions on the vulnerabilities that we have identified. These recommendations cover various different control types, and, indeed, processes that should be implemented by an agency's information security program, and because we made those recommendations in prior reports, we're not making specific recommendations to the individual agencies in this report. We are making one recommendation to OMB in order to review and develop a plan for evaluating the effectiveness of a new program by the IGs to evaluate their agency's information security programs using the capability maturity model. [ Jacques Arsenault: ] So, when you look at what we know about these agencies information security programs and some of the holes, and when you think about all of the different types of information that agencies may have access to, what do you believe is the key takeaway from this report? [ Greg Wilshusen: ] Well, I think there are several key takeaways. Actually, one is that while agencies continue to strive to improve the security over their systems, there are new initiatives, such as continuous monitoring, as well as the introduction of multi-factor authentication to help protect systems. Until those initiatives and, indeed, basic, fundamental information security controls are implemented on a consistent basis, information will continue to be at risk. Information security is, first and foremost, a management issue. And until agencies provide the sufficient resources and priority to implement the security over their systems, they will continue to be subject to unauthorized access. [ Background Music ] [ Jacques Arsenault: ] Thanks for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple podcasts. [ Background Music ] [ Jacques Arsenault: ] For more from the Congressional Watchdog, The U.S. Government Accountability Office, visit us at GAO.gov.