Information Security:
FBI Needs to Address Weaknesses in Critical Network
GAO-07-368: Published: Apr 30, 2007. Publicly Released: May 24, 2007.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because FBI had not fully implemented key information security program activities for the critical network reviewed. FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring. However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI corrected identified weaknesses in a timely manner.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should correct identified weaknesses in a timely manner.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI provided comprehensive coverage of system testing and scans.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should provide comprehensive coverage of system testing and scans.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI ensured that network users received security awareness training and that users with significant security responsibilities received specialized training as defined by their role.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should ensure that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training as defined by their role.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI completed a network security plan that reflected the current operating environment and included sections required by the FBI Certification & Accreditation Handbook.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network security plan to ensure that it reflects the current operating environment and includes sections required by the FBI Certification & Accreditation Handbook.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed technical standards that included guidance for addressing the access control weaknesses identified.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop technical standards that include guidance for addressing the access control weaknesses identified.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI implemented a network risk assessment that reflected the current operating environment and included elements required by the FBI Certification & Accreditation Handbook.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network's risk assessment to reflect the current operating environment and ensure that the assessment includes elements required by the FBI Certification & Accreditation Handbook.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed a comprehensive inventory of the current network operating environment.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a comprehensive inventory of the current network operating environment.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In fiscal year 2011 we verified that FBI developed a continuity of operations plan that addressed the current network environment, and periodically tested the plan.
Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a continuity of operations plan that addresses the current network environment, and periodically test the plan.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Jul 31, 2018
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Jun 14, 2018
-
Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding PositionsGAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
May 14, 2018
-
Protecting Classified Information:
Defense Security Service Should Address Challenges as New Approach Is PilotedGAO-18-407: Published: May 14, 2018. Publicly Released: May 14, 2018.
Apr 24, 2018
-
Cybersecurity:
DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector NetworksGAO-18-520T: Published: Apr 24, 2018. Publicly Released: Apr 24, 2018.
Mar 7, 2018
-
Cybersecurity Workforce:
DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill RequirementsGAO-18-430T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Feb 6, 2018
-
Cybersecurity Workforce:
Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill RequirementsGAO-18-175: Published: Feb 6, 2018. Publicly Released: Feb 6, 2018.
Sep 28, 2017
-
Federal Information Security:
Weaknesses Continue to Indicate Need for Effective Implementation of Policies and PracticesGAO-17-549: Published: Sep 28, 2017. Publicly Released: Sep 28, 2017.
Aug 3, 2017
-
Information Security:
OPM Has Improved Controls, but Further Efforts Are NeededGAO-17-614: Published: Aug 3, 2017. Publicly Released: Aug 3, 2017.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
