Information Security:

Agencies Need to Improve Controls over Selected High-Impact Systems

GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.

Government entities have provided guidance and established initiatives and services to aid agencies in protecting their systems, including those categorized as high impact. The National Institute of Standards and Technology has prescribed federal standards for minimum security requirements and guidance on security and privacy controls for high-impact systems, including 83 controls specific to such systems. The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.

The National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), Office of Personnel Management (OPM), and Department of Veterans Affairs (VA) had implemented numerous controls over the eight high-impact systems GAO reviewed. For example, all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs, as shown in the table.

Agency Implementation of Key Information Security Program Elements for Selected Systems

 

NASA

NRC

OPM

VA

Risk assessments

Security plans

Controls assessments

Remedial action plans

Source: GAO analysis of agency documentation. | GAO-16-501

Note: ● – Met ◐– Partially met ○ – Did not meet

Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption.

Why GAO Did This Study

Federal systems categorized as high impact—those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm—warrant increased security to protect them. In this report, GAO (1) describes the extent to which agencies have identified cyber threats and have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect these systems, and (3) assesses the effectiveness of controls to protect selected high-impact systems at federal agencies. To do this, GAO surveyed 24 federal agencies; examined federal policies, standards, guidelines and reports; and interviewed agency officials. In addition, GAO tested and evaluated the security controls over eight high-impact systems at four agencies.

What GAO Recommends

GAO recommends that OMB complete its plans and practices for securing federal systems and that NASA, NRC, OPM, and VA fully implement key elements of their information security programs. The agencies generally concurred with GAO's recommendations, with the exception of OPM. OPM did not concur with the recommendation regarding evaluating security control assessments. GAO continues to believe the recommendation is warranted.

In separate reports with limited distribution, GAO is making specific recommendations to each of the four agencies to mitigate identified weaknesses in access controls, patch management, and contingency planning.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Office of Management and Budget generally concurred with this recommendation. In fiscal year 2016 we verified that OMB issued an updated Circular A-130 on July 28, 2016.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue Circular A-130.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Priority recommendation

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. In fiscal year 2016 we verified that NASA, in response to the recommendation, provides through its training system a catalog of NASA-sponsored learning opportunities and links to externally sponsored opportunities. Additionally, NASA uses this system to track individuals' training plans and compliance.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. In fiscal year 2018 we verified that the agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. NASA has issued updated security assessment plans that include the test procedures to be performed for the two selected high-impact systems.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Open

    Priority recommendation

    Comments: NASA concurred with the recommendation. The agency provided plans of action and milestones (POA&Ms) to address specific weaknesses that were overlooked in previous assessments; however, these POA&Ms do not address this recommendation. NASA needs to complete a re-evaluation of the security control assessments it has performed for the selected systems and take steps to ensure that such assessments include a comprehensive test of technical controls.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation.In fiscal year 2018, we verified that NASA, in response to our recommendation, has implemented a system that generates plans of action and milestones (POA&Ms). The agency provided, for the two selected systems, examples of POA&Ms that include responsible organizations and sources of funding, as well as estimated funding, updated milestones, and completion dates.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Open

    Priority recommendation

    Comments: NASA concurred with the recommendation. NASA has issued an updated continuous monitoring strategy, but this strategy does not clearly identify specific metrics to be used. NASA needs to specify metrics it will use as part of its continuous monitoring efforts.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2017 we verified that NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to update security plans to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2017 we also verified that NRC, in response to our recommendation, issued an updated system security plan for the other high-impact system that we reviewed. This plan addresses all controls specific to high-impact systems and offers explanations for those instances where a control is not implemented.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Nuclear Regulatory Commission

  8. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2016 we verified that NRC, in response to our recommendation, is providing specialized security training for staff with significant security responsibilities in information technology, is defining training requirements, and is tracking compliance.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Nuclear Regulatory Commission

  9. Status: Closed - Implemented

    Comments: NRC concurred with our recommendation. In December 2016 NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to reevaluate security control assessments to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2018 we verified that NRC, in response to our recommendation, has fully implemented a continuous monitoring process for the remaining high-impact system. NRC now conducts quarterly security testing and the results of these tests are evaluated in assessment reports that list the system's percentage of compliance for security, privacy, and program management controls.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Nuclear Regulatory Commission

  10. Status: Closed - Implemented

    Comments: NRC concurred with our recommendation. In fiscal year 2018 we verified that the agency has substantially addressed this recommendation by updating its plans of action and milestones (POA&Ms) to include the organization responsible for each POA&M, and scheduled completion dates. NRC does not include the estimated funding or the funding source in the POA&Ms, however. According to the agency, POA&Ms are not individually evaluated for cost estimates and resources needed because of the high volume of POA&Ms and the nature of the findings. NRC's cybersecurity budget, which is provided to OMB, includes POA&M remediation. Funding for POA&M remediation is also included in contracts for operations and maintenance services.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency Affected: Nuclear Regulatory Commission

  11. Status: Open

    Comments: NRC concurred with our recommendation. As of July 2018, the agency expected to publish a revised computer security standard in the fourth quarter of fiscal year 2018.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency Affected: Nuclear Regulatory Commission

  12. Status: Open

    Priority recommendation

    Comments: OPM concurred with our recommendation. The agency intends to migrate security plans to an automated system in order to improve management of security controls. OPM expects to complete this action in fiscal year 2018.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency Affected: Office of Personnel Management

  13. Status: Open

    Priority recommendation

    Comments: OPM concurred with our recommendation. As of July 2018, OPM was in the process of reviewing its procedures for identifying employees and contractors who directly access its information systems and reviewing the training requirements for those individuals, as well as specialized training requirements, and how compliance is tracked.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency Affected: Office of Personnel Management

  14. Status: Open

    Priority recommendation

    Comments: OPM did not concur with our recommendation. OPM is developing additional standards for evaluating technical-controls testing and will incorporate these standards into its oversight of security assessments, once the standards are complete. Subsequent to OPM informing us that it has re-evaluated tests of technical controls, we plan to verify the agency's actions.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Office of Personnel Management

  15. Status: Open

    Comments: OPM concurred with our recommendation. As of March 2018, OPM was in the process of migrating POA&Ms to a new automated system that will allow the source of funding to be included in plans of action and milestones.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency Affected: Office of Personnel Management

  16. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA updated the two system security plans to include all 83 security controls that are specific to high-impact systems.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Department of Veterans Affairs

  17. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA is offering specialized courses for staff with significant security responsibilities, and is tracking staff members' completion of courses.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Department of Veterans Affairs

  18. Status: Open

    Comments: VA concurred with our recommendation. VA has conducted security control assessments for the two systems, but these assessments do not show that technical controls were comprehensively tested. We will continue to follow-up with the department.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency Affected: Department of Veterans Affairs

  19. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA is listing in its POA&Ms the estimated funding and the source of the funding. This action increases assurance that the agency will be able to efficiently address known information security weaknesses.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency Affected: Department of Veterans Affairs

  20. Status: Open

    Comments: VA concurred with our recommendation. VA provided information on its continuous monitoring strategy for information security, but the documents did not include specific descriptions of the metrics and how they are monitored and reported. We will continue to follow-up with the department.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: Department of Veterans Affairs

  21. Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 31, 2018

Jul 25, 2018

Jul 12, 2018

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Looking for more? Browse all our products here