Information Security:
Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk
GAO-11-43: Published: Nov 30, 2010. Publicly Released: Nov 30, 2010.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Over the past several years, federal agencies have rapidly adopted the use of wireless technologies for their information systems. In a 2005 report, GAO recommended that the Office of Management and Budget (OMB), in its role overseeing governmentwide information security, take several steps to help agencies better secure their wireless networks. GAO was asked to update its prior report by (1) identifying leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks and (2) assessing agency efforts to secure wireless networks, including their vulnerability to attack. To do so, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these 5 agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration.
GAO identified a range of leading security practices for deploying and monitoring secure wireless networks and technologies that can help secure these networks. The leading practices include the following: (1) comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls; (2) a risk-based approach for wireless deployment and monitoring; (3) a centralized wireless management structure that is integrated with the management of the existing wired network; (4) configuration requirements for wireless networks and devices; (5) incorporation of wireless and mobile device security in training; (6) use of encryption, such as a virtual private network for remote access; (7) continuous monitoring for rogue access points and clients; and (8) regular assessments to ensure wireless networks are secure. Agencies have taken steps to secure their wireless networks, but more can be done to improve security and to limit vulnerability to attack. Specifically, application was inconsistent among the agencies for most of the following leading practices: (1) Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dual-connected laptops and mobile devices taken on international travel. (2) All agencies required a risk-based approach for management of wireless technologies. (3) Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide. (4) The five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smartphone configurations. (5) Most agencies were missing key elements related to wireless security in their security awareness training. (6) Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access. (7) Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks. Existing governmentwide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices. Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack.
Recommendations for Executive Action
Status: Closed - Not Implemented
Comments: As of September 15, 2015 the FISMA metrics do not contain specific metrics related to wireless security issues identified in this report.
Recommendation: To improve governmentwide oversight of wireless security practices, the Director of OMB, in consultation with the Secretary of Homeland Security, should include metrics related to wireless security as part of the Federal Information Security Management Act (FISMA) reporting process.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: We verified that DHS developed the scope and specific time frames for activities that address wireless security as part of their reviews of agency cybersecurity programs.
Recommendation: To improve governmentwide oversight of wireless security practices, the Director of OMB, in consultation with the Secretary of Homeland Security, should develop the scope and specific time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Closed - Implemented
Comments: We verified that Commerce instructed the Director of NIST to develop and issue guidelines in the following four areas:(1) technical steps agencies can take to mitigate the risk of dual connected laptops,(2) governmentwide secure configurations for wireless functionality on laptops and for smartphones such as BlackBerries,(3) appropriate ways agencies can centralize their management of wireless technologies based on business need, and(4) criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and recommendations for when continuous monitoring of wireless networks may be appropriate.
Recommendation: The Secretary of Commerce should instruct the Director of NIST to develop and issue guidelines in the following four areas: (1) technical steps agencies can take to mitigate the risk of dual connected laptops, (2) governmentwide secure configurations for wireless functionality on laptops and for smartphones such as BlackBerries, (3) appropriate ways agencies can centralize their management of wireless technologies based on business need, and (4) criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and recommendations for when continuous monitoring of wireless networks may be appropriate.
Agency Affected: Department of Commerce
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Sep 25, 2020
Whistleblower Protection:
Actions Needed to Strengthen Selected Intelligence Community Offices of Inspector General ProgramsGAO-20-699: Published: Sep 25, 2020. Publicly Released: Sep 25, 2020.
Sep 23, 2020
-
Federal Property:
Formal Policies Could Enhance FDA's Property Management EffortsGAO-20-689: Published: Sep 23, 2020. Publicly Released: Sep 23, 2020.
Sep 10, 2020
-
2020 Census:
Key Areas for Attention Raised by Compressed TimeframesGAO-20-720T: Published: Sep 10, 2020. Publicly Released: Sep 10, 2020. -
Federal Advisory Committees:
Actions Needed to Enhance Decision-Making Transparency and Cost Data AccuracyGAO-20-575: Published: Sep 10, 2020. Publicly Released: Sep 10, 2020. -
Grants Management:
Agencies Provided Many Types of Technical Assistance and Applied Recipients' FeedbackGAO-20-580: Published: Aug 11, 2020. Publicly Released: Sep 10, 2020.
Sep 8, 2020
-
Federalism:
Opportunities Exist to Improve Coordination and Consultation with State and Local GovernmentsGAO-20-560: Published: Aug 7, 2020. Publicly Released: Sep 8, 2020.
Aug 31, 2020
-
Time and Attendance:
Agencies Generally Compiled Data on Misconduct, and Reported Using Various Internal Controls for MonitoringGAO-20-640: Published: Aug 31, 2020. Publicly Released: Aug 31, 2020.
Aug 27, 2020
-
2020 Census:
Recent Decision to Compress Census Timeframes Poses Additional Risks to an Accurate CountGAO-20-671R: Published: Aug 27, 2020. Publicly Released: Aug 27, 2020.
Aug 19, 2020
-
Interagency Council on Homelessness:
Governance Responsibilities Need Further ClarificationGAO-20-602: Published: Aug 19, 2020. Publicly Released: Aug 19, 2020.
Jul 9, 2020
-
DATA Act:
OIGs Reported That Quality of Agency-Submitted Data Varied, and Most Recommended ImprovementsGAO-20-540: Published: Jul 9, 2020. Publicly Released: Jul 9, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Government Operations
- 2020 Census - High Risk Issue
- Cybersecurity Challenges Facing the Nation – High Risk Issue
- Data-Driven Decision Making
- Department of Energy's Contract Management for the National Nuclear Security Administration and Office of Environmental Management - High Risk Issue
- DHS Management - High Risk Issue
- DOD Weapon Systems Acquisition - High Risk Issue
- Elections and Campaign Finance
- Federal Data Transparency
- Federal Financial Accountability
- Federal Grants to State and Local Governments
- Federal Real Property - High Risk Issue
- Federal Rulemaking
- Federal Telework
- Federal Training Investments and Assessments
- Improper Payments
- Improving Government Services to Taxpayers
- Leading Practices in Acquisition Management
- Leading Practices in Collaboration Across Governments, Nonprofits, and the Private Sector
- Leading Practices in Human Capital Management
- Leading Practices in Information Technology Management
- Managing for Results in Government
- NASA Acquisitions - High Risk Issue
- Open Innovation
- Strategic Management of Human Capital - High Risk Issue
- Tax Expenditures
- U.S. Postal Service's Financial Viability - High Risk Issue
- VA and DOD Health Care Management
- VA and DOD Patient Care
- Wireless Broadband Spectrum Management
Explore our other Key Issues here
