Information Security:
Answers to Posthearing Questions
AIMD-99-272R: Published: Aug 9, 1999. Publicly Released: Aug 9, 1999.
Additional Materials:
- Full Report:
Contact:
(202) 512-4841
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Pursuant to a congressional request, GAO responded to congressional questions regarding its June 24, 1999, testimony on the need for stronger information security management, focusing on: (1) the effectiveness of federal agencies' implementation of the 1987 Computer Security Act; (2) what gaps the Presidential Decision Directive (PDD) No. 63 will fill within existing federal programs that would improve the security of federal computer systems; (3) how GAO's Information Security Management guide differ from existing National Institute of Standards Technology (NIST) issued guidelines and bulletins, and how agencies responded to the guidelines; and (4) whether the 1992 information security audits conducted by NIST and National Security Agency (NSA) were effective and useful and whether NIST and NSA should perform these audits on a regular basis.
GAO noted that: (1) while a standards program and some training have been provided, governmentwide computer security has not been achieved, primarily because individual agencies have not taken the steps needed to effectively implement NIST's standards and related guidance; (2) in 1998, GAO analyzed the results of the previous 2-1/2 years' computer security audit reports and found that significant weaknesses were reported for all 24 of the agencies covered by GAO's analysis; (3) these weaknesses placed a broad range of critical operations and assets at great risk of fraud, misuse, and disruption; (4) GAO also reported that, although a number of agencies, councils, and task forces were attempting to improve federal information security by addressing selected issues, there was no governmentwide strategy in this regard; (5) PDD 63 has prompted efforts to develop a national plan, which is expected to address: (a) evaluating and improving agency computer security plans; and (b) developing improved capabilities for detecting and responding to serious computer-based attacks; (6) in addition, PDD 63 recognized the interdependencies among public and private sector entities, especially as they relate to protecting the nation's computer-supported critical infrastructures; (7) in this regard, the Directive initiated efforts to improve public-private sector cooperation; (8) GAO's guide is based on the results of its study of eight nonfederal organizations regarded as having superior computer security programs; (9) as a result of this study, GAO identified a risk management cycle of activity, including 16 specific practices that these organizations told GAO were important to the success of their programs; (10) these practices are consistent with NIST guidance as well as with the Office of Management and Budget (OMB) guidance; (11) in this regard, GAO's guide complements NIST and OMB guidance and should be viewed as a supplement to their publications; (12) agencies, as well as several private sector organizations, have responded very favorably to GAO's guide; (13) representatives from OMB, NIST, and NSA visited 28 agencies in an attempt to gain an overview of the agencies' information security programs, raise awareness of risks, and promote compliance with existing guidance; (14) while reportedly serving their intended purpose, the 1992 visits were not audits because they did not involve direct observation or testing of agency security controls in operation; and (15) to serve as a useful measure of performance, such audits need to be performed periodically so current and past performances can be compared.
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here