Information Security:
Agencies Need to Develop and Implement Adequate Policies for Periodic Testing
GAO-07-65: Published: Oct 20, 2006. Publicly Released: Nov 20, 2006.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Agencies rely extensively on computerized information systems and electronic data to carry out their missions. To ensure the security of the information and information systems that support critical operations and infrastructure, federal law and policy require agencies to periodically test and evaluate the effectiveness of their information security controls at least annually. GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls. GAO surveyed 24 major federal agencies and analyzed their policies to determine whether the policies address important elements for periodic testing. GAO also examined testing documentation at 6 agencies to assess the quality and effectiveness of testing on 30 systems.
Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls. Agencies' policies often did not include important elements for performing effective testing. For example, none of the agencies' policies addressed how to determine the depth and breadth of testing according to risk. Also, agencies did not always address other important elements, including the identification and testing of security controls common to multiple systems, the definition of roles and responsibilities of personnel performing tests, and the frequency of periodic testing. The six case study agencies did not effectively implement policies for periodically testing and evaluating information security controls for the 30 systems reviewed. The methods and practices for testing and evaluating controls at the six agencies were not adequate to ensure that assessments were consistent, of similar quality, and repeatable. For example, these agencies did not always sufficiently document their test methods and results, did not define the assessment methods to be used when evaluating security controls, did not test security controls as prescribed, and did not include previously reported remedial actions or weaknesses in their test plans to ensure they had been addressed. As a result, agencies may not have reasonable assurance that controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency. In addition, agencies may not be fully aware of the security control weaknesses in their systems, thereby leaving the agencies' information and systems vulnerable to attack or compromise.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2011, we verified that OMB's fiscal year 2010 FISMA guidance instructed federal agencies to develop and implement policies on periodic testing and evaluation.
Recommendation: Because of the governmentwide weaknesses in the design and implementation of agencies' policies for periodically testing and evaluating security controls, the Director of the Office of Management and Budget should instruct federal agencies to develop and implement policies on periodic testing and evaluation.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: In fiscal year 2011, we verified that OMB's fiscal year 2010 FISMA reporting guidance to the IGs requested that they report on the status of several program areas at their agency, including periodically testing and evaluating systems, which are covered under the continuous monitoring section.
Recommendation: Because of the governmentwide weaknesses in the design and implementation of agencies' policies for periodically testing and evaluating security controls, the Director of the Office of Management and Budget should revise instructions for future Federal Information Security Management Act reporting by requesting Inspectors General to report on the quality of agencies' periodic testing processes.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: In fiscal year 2011, we verified that the Secretary of Commerce directed the Director, National Institute of Standards and Technology (NIST), to strengthen guidance on determining the depth and breadth of testing security controls through the issuance of NIST's Special Publication 800-53A, guide for conducting security assessments, which provides information on determining the depth and breadth of testing security controls.
Recommendation: The Secretary of Commerce should direct the Director, National Institute of Standards and Technology, to strengthen guidance on determining the depth and breadth of testing security controls.
Agency Affected: Department of Commerce
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Sep 25, 2019
Critical Infrastructure Protection:
Actions Needed to Address Significant Cybersecurity Risks Facing the Electric GridGAO-19-332: Published: Aug 26, 2019. Publicly Released: Sep 25, 2019.
Jul 26, 2019
-
Federal Information Security:
Agencies and OMB Need to Strengthen Policies and PracticesGAO-19-545: Published: Jul 26, 2019. Publicly Released: Jul 26, 2019.
Jul 25, 2019
-
Cybersecurity:
Agencies Need to Fully Establish Risk Management Programs and Address ChallengesGAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
Jul 18, 2019
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-19-474R: Published: Jul 18, 2019. Publicly Released: Jul 18, 2019.
Jun 14, 2019
-
Data Protection:
Federal Agencies Need to Strengthen Online Identity Verification ProcessesGAO-19-288: Published: May 17, 2019. Publicly Released: Jun 14, 2019.
Mar 27, 2019
-
Data Breaches:
Range of Consumer Risks Highlights Limitations of Identity Theft ServicesGAO-19-230: Published: Mar 27, 2019. Publicly Released: Mar 27, 2019.
Dec 20, 2018
-
Information Security:
Significant Progress Made, but CDC Needs to Take Further Action to Resolve Control Deficiencies and Improve Its ProgramGAO-19-70: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Dec 18, 2018
-
Information Security:
Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against IntrusionsGAO-19-105: Published: Dec 18, 2018. Publicly Released: Dec 18, 2018.
Dec 6, 2018
-
Cybersecurity:
Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat InformationGAO-19-114R: Published: Dec 6, 2018. Publicly Released: Dec 6, 2018.
Nov 13, 2018
-
Information Security:
OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain OpenGAO-19-143R: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
