Information Security:
Serious and Widespread Weaknesses Persist at Federal Agencies
AIMD-00-295: Published: Sep 6, 2000. Publicly Released: Sep 11, 2000.
Additional Materials:
- Full Report:
Contact:
(202) 512-4841
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Pursuant to a congressional request, GAO reviewed inspectors' general information security audit findings for 24 federal agencies, focusing on: (1) information security weaknesses identified in audit reports issued from July 1999 through August 2000 and GAO's findings with similar information that GAO reported in September 1998; (2) weaknesses and the related risks at selected individual agencies; and (3) the most significant types of weaknesses in each of six categories of general controls that GAO used in its analysis.
GAO noted that: (1) evaluations of computer security published since July 1999 continue to show that federal computer security is fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk; (2) as in 1998, GAO's analysis identified significant weaknesses in each of the 24 agencies covered by its review; (3) since July 1999, the range of weaknesses in individual agencies has broadened, at least in part because the scope of audits being performed is more comprehensive than in prior years; (4) while these audits are providing a more complete picture of the security problems agencies face, they also show that agencies have much work to do to ensure that their security programs are complete and effective; (5) the weaknesses identified place a broad array of federal operations and assets at risk of fraud, misuse, and disruption; (6) for example, weaknesses at the Department of the Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections, and weaknesses at the Department of Defense increase the vulnerability of various military operations that support the department's war-fighting capability; (7) further, information security weaknesses place enormous amounts of confidential data, ranging from personal and tax data to proprietary business information, at risk of inappropriate disclosure; (8) for example, in 1999, a Social Security Administration employee pled guilty to unauthorized access of the administration's systems; (9) the related investigation determined that the employee had made many unauthorized queries, including obtaining earnings information for members of the local business community; (10) for most agencies, the weaknesses reported covered the full range of computer security controls; (11) security program planning and management were inadequate; (12) physical and logical access controls also were not effective in preventing or detecting system intrusions and misuse; (13) software change controls were ineffective in ensuring that only properly authorized and tested software programs were implemented; (14) duties were not adequately segregated to reduce the risk that one individual could execute unauthorized transactions or software changes without detection; (15) sensitive operating system software was not adequately controlled, and adequate steps had not been taken to ensure continuity of computerized operations; and (16) more needs to be done, especially in the area of security program planning and management, which involves instituting routine risk management activities aimed at ensuring that risks are understood and controls are implemented.
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here