From the U.S. Government Accountability Office, www.gao.gov Transcript for: Information Systems Security and Intrusion Protection Description: Hear what GAO found when we looked at how federal agencies are doing to secure their information systems. Related GAO Work: GAO-19-105: Information Security: Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against Intrusions Released: December 2018 [ Background Music ] [ Greg Wilshusen: ] It's a widespread problem across the federal government and much more needs to be done. [ Matt Oldham: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. If you can imagine the sheer volume and sensitive nature of digital information stored by federal agencies, like the Departments of Defense, Treasury, or Health and Human Services, you likely wouldn't need much convincing on the importance of safeguarding that data. I'm with Greg Wilshusen, a director with GAO's Information Technology team and we're discussing a GAO report that reviewed the government's approaches and strategies designed to foil attacks on federal information systems. Greg, is the government doing a better job today of protecting against cyberattacks than before the 2015 Office of Personnel Management data breach? [ Greg Wilshusen: ] In some respects, it is, Matt. We found that agencies in the federal government have initiated several efforts to try to improve the security over the federal systems. However, much still remains to be done. Our work has shown that a majority of federal agencies are not implementing or effectively implementing the federal approach to securing their systems. For example, 17 out of the 23 CFOF agencies, and those are some of the more major federal departments and agencies within the federal government, have ineffective information security programs, as determined by their agency's inspectors general. In addition, 17 out of the 23 agencies have reported either significant deficiency or material weakness in information security controls for the purposes of internal control over the financial reporting. So, it's a widespread problem across the federal government and much more needs to be done. [ Matt Oldham: ] So, why is it so important that the government gets this right? What's at stake if we don't? [ Greg Wilshusen: ] There's -- quite a bit is at stake, as it relates to national security, public health and safety, as well as the national economic capabilities of this country. You know, a lot of people are concerned, of course -- and rightly so -- about the compromise of personally identifiable information that can expose information -- or individuals whose information have been compromised to identity theft and potentially other financial crimes. But the federal government maintains a lot of very sensitive information; for example, the design and performance of our military's weapon systems. [ Matt Oldham: ] Did you find anything that would prevent these federal agencies from doing just that? [ Greg Wilshusen: ] Yes, actually several things. Indeed, you know, one of the key areas that we've identified where agencies have had problems and challenges in protecting their systems is the way they actually assess their risk. It's important that agencies know what the threats are, how to evaluate the vulnerabilities associated with their systems, and then identify the risks of the threats compromising those vulnerabilities to affect and gain access to their systems. [ Background Music ] [ Matt Oldham: ] So, it sounds like when it comes to information system security, agencies have started to implement government-wide frameworks and standards, but more work remains, especially with finding where they are most at risk of security breaches or attacks. So, what recommendations does the report have? [ Greg Wilshusen: ] Well, we make several recommendations to the Department of Homeland Security and the Office of Management and Budget. Both of these agencies have overall responsibilities for developing and overseeing the implementation of information security policies and practices for the federal government. And so, we have recommendations for Department of Homeland Security to work with OMB to identify the obstacles and impediments that federal agencies face in adequately implementing security, particularly in detecting and preventing intrusions to their systems. [ Matt Oldham: ] Lastly, what do you believe is the bottom line of this report? [ Greg Wilshusen: ] Well, I think the bottom line is basically that DHS and OMB need to help agencies to improve the implementation of the federal approach and strategy for securing their information systems and improving their defenses against intrusions. [ Matt Oldham: ] Greg Wilshusen is an information technology director with GAO and he was talking about a GAO report on the government's information systems security. Thank you for your time, Greg. [ Greg Wilshusen: ] Thank you, Matt. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Matt Oldham: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us as gao.gov.