Information Security:
FBI Needs to Address Weaknesses in Critical Network
GAO-07-368: Published: Apr 30, 2007. Publicly Released: May 24, 2007.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because FBI had not fully implemented key information security program activities for the critical network reviewed. FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring. However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed a comprehensive inventory of the current network operating environment.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a comprehensive inventory of the current network operating environment.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI implemented a network risk assessment that reflected the current operating environment and included elements required by the FBI Certification & Accreditation Handbook.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network's risk assessment to reflect the current operating environment and ensure that the assessment includes elements required by the FBI Certification & Accreditation Handbook.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed technical standards that included guidance for addressing the access control weaknesses identified.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop technical standards that include guidance for addressing the access control weaknesses identified.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI completed a network security plan that reflected the current operating environment and included sections required by the FBI Certification & Accreditation Handbook.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network security plan to ensure that it reflects the current operating environment and includes sections required by the FBI Certification & Accreditation Handbook.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI ensured that network users received security awareness training and that users with significant security responsibilities received specialized training as defined by their role.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should ensure that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training as defined by their role.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI provided comprehensive coverage of system testing and scans.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should provide comprehensive coverage of system testing and scans.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI corrected identified weaknesses in a timely manner.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should correct identified weaknesses in a timely manner.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed a continuity of operations plan that addressed the current network environment, and periodically tested the plan.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a continuity of operations plan that addresses the current network environment, and periodically test the plan.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
