Information Security:

Agencies Need to Improve Controls over Selected High-Impact Systems

GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting their high-impact systems, with almost 500 of the incidents involving the installation of malicious code.

Government entities have provided guidance and established initiatives and services to aid agencies in protecting their systems, including those categorized as high impact. The National Institute of Standards and Technology has prescribed federal standards for minimum security requirements and guidance on security and privacy controls for high-impact systems, including 83 controls specific to such systems. The Office of Management and Budget (OMB) is developing plans for shared services and practices for federal security operations centers but has not issued them yet. In addition, agencies reported that they are in the process of implementing various federal initiatives, such as tools to diagnose and mitigate intrusions on a continuous basis and stronger controls over access to agency networks.

The National Aeronautics and Space Administration (NASA), Nuclear Regulatory Commission (NRC), Office of Personnel Management (OPM), and Department of Veterans Affairs (VA) had implemented numerous controls over the eight high-impact systems GAO reviewed. For example, all the agencies reviewed had developed a risk assessment for their selected high-risk systems. However, the four agencies had not always effectively implemented access controls. These control weaknesses included those protecting system boundaries, identifying and authenticating users, authorizing access needed to perform job duties, and auditing and monitoring system activities. Weaknesses also existed in patching known software vulnerabilities and planning for contingencies. An underlying reason for these weaknesses is that the agencies had not fully implemented key elements of their information security programs, as shown in the table.

Agency Implementation of Key Information Security Program Elements for Selected Systems

 

NASA

NRC

OPM

VA

Risk assessments

Security plans

Controls assessments

Remedial action plans

Source: GAO analysis of agency documentation. | GAO-16-501

Note: ● – Met ◐– Partially met ○ – Did not meet

Until the selected agencies address weaknesses in access and other controls, including fully implementing elements of their information security programs, the sensitive data maintained on selected systems will be at increased risk of unauthorized access, modification, and disclosure, and the systems at risk of disruption.

Why GAO Did This Study

Federal systems categorized as high impact—those that hold sensitive information, the loss of which could cause individuals, the government, or the nation catastrophic harm—warrant increased security to protect them. In this report, GAO (1) describes the extent to which agencies have identified cyber threats and have reported incidents involving high-impact systems, (2) identifies government-wide guidance and efforts to protect these systems, and (3) assesses the effectiveness of controls to protect selected high-impact systems at federal agencies. To do this, GAO surveyed 24 federal agencies; examined federal policies, standards, guidelines and reports; and interviewed agency officials. In addition, GAO tested and evaluated the security controls over eight high-impact systems at four agencies.

What GAO Recommends

GAO recommends that OMB complete its plans and practices for securing federal systems and that NASA, NRC, OPM, and VA fully implement key elements of their information security programs. The agencies generally concurred with GAO's recommendations, with the exception of OPM. OPM did not concur with the recommendation regarding evaluating security control assessments. GAO continues to believe the recommendation is warranted.

In separate reports with limited distribution, GAO is making specific recommendations to each of the four agencies to mitigate identified weaknesses in access controls, patch management, and contingency planning.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Office of Management and Budget generally concurred with this recommendation. In fiscal year 2016 we verified that OMB issued an updated Circular A-130 on July 28, 2016.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue Circular A-130.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Priority recommendation

    Comments: The National Aeronautics and Space Administration (NASA) concurred with our recommendation. In fiscal year 2016 we verified that NASA, in response to the recommendation, provides through its training system a catalog of NASA-sponsored learning opportunities and links to externally sponsored opportunities. Additionally, NASA uses this system to track individuals' training plans and compliance.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. In fiscal year 2018 we verified that the agency has implemented a system to support updates of security assessment plans that include the test procedures to be performed. NASA has issued updated security assessment plans that include the test procedures to be performed for the two selected high-impact systems.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update security assessment plans for selected systems to ensure they include the test procedures to be performed.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. In fiscal year 2019 we verified that NASA, in response to our recommendation, has taken steps to ensure comprehensive testing of the technical security controls for the systems we examined. NASA's security assessments include on-site testing of controls and component testing, in addition to interviews and document reviews. Its System Assessment Reports (SARs) show that the agency has re-evaluated the control assessments for selected systems, and identified controls that did not meet requirements. The agency has also identified deficiencies in the scope of tests for some security controls. In addition, NASA has developed recommendations to review the scope of testing annually as part of its continuous monitoring efforts.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should re-evaluate security control assessments for selected systems to ensure that they comprehensively test technical controls.

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation.In fiscal year 2018, we verified that NASA, in response to our recommendation, has implemented a system that generates plans of action and milestones (POA&Ms). The agency provided, for the two selected systems, examples of POA&Ms that include responsible organizations and sources of funding, as well as estimated funding, updated milestones, and completion dates.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update remedial action plans for selected systems, to include responsible organization, estimated funding, source of funding, and updated milestones and completion dates.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. The agency updated its information security continuous monitoring strategy by defining metrics to assess the effectiveness of its information security efforts. In addition, the strategy specifies how frequently each metric must be monitored and reported.

    Recommendation: To improve agency information security programs, the Administrator of the National Aeronautics and Space Administration should update the continuous monitoring strategy to include metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2017 we verified that NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to update security plans to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2017 we also verified that NRC, in response to our recommendation, issued an updated system security plan for the other high-impact system that we reviewed. This plan addresses all controls specific to high-impact systems and offers explanations for those instances where a control is not implemented.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Nuclear Regulatory Commission

  8. Status: Closed - Implemented

    Comments: The Nuclear Regulatory Commission (NRC) concurred with our recommendation. In fiscal year 2016 we verified that NRC, in response to our recommendation, is providing specialized security training for staff with significant security responsibilities in information technology, is defining training requirements, and is tracking compliance.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Nuclear Regulatory Commission

  9. Status: Closed - Implemented

    Comments: NRC concurred with our recommendation. In December 2016 NRC changed the security level of one of the high-impact systems to moderate. Consequently, our recommendation to reevaluate security control assessments to meet controls specific to high-impact systems no longer applies to this system. In fiscal year 2018 we verified that NRC, in response to our recommendation, has fully implemented a continuous monitoring process for the remaining high-impact system. NRC now conducts quarterly security testing and the results of these tests are evaluated in assessment reports that list the system's percentage of compliance for security, privacy, and program management controls.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Nuclear Regulatory Commission

  10. Status: Closed - Implemented

    Comments: NRC concurred with our recommendation. In fiscal year 2018 we verified that the agency has substantially addressed this recommendation by updating its plans of action and milestones (POA&Ms) to include the organization responsible for each POA&M, and scheduled completion dates. NRC does not include the estimated funding or the funding source in the POA&Ms, however. According to the agency, POA&Ms are not individually evaluated for cost estimates and resources needed because of the high volume of POA&Ms and the nature of the findings. NRC's cybersecurity budget, which is provided to OMB, includes POA&M remediation. Funding for POA&M remediation is also included in contracts for operations and maintenance services.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.

    Agency Affected: Nuclear Regulatory Commission

  11. Status: Closed - Implemented

    Comments: NRC concurred with our recommendation. NRC has issued an Office Instruction that lists the metrics NRC will use to continuously monitor the security status of systems owned and used by the agency. The instruction also specifies the frequency with which NRC is to conduct status monitoring, ranging from quarterly to continuous.

    Recommendation: To improve agency information security programs, the Chairman of the Nuclear Regulatory Commission should update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

    Agency Affected: Nuclear Regulatory Commission

  12. Status: Open

    Priority recommendation

    Comments: OPM agreed with the recommendation. According to OPM, it is developing and configuring an automated system that will allow for management of security controls and security plans. In December 2018, OPM officials told us that the office plans to complete these actions by June 2019 and it is exploring options to accelerate this timeline.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system's plan appropriately addresses the control.

    Agency Affected: Office of Personnel Management

  13. Status: Open

    Priority recommendation

    Comments: OPM partially agreed with this recommendation. In December 2018, OPM stated that it is working with its learning management system vendor to develop requirements, but had not yet targeted an expected completion date. To fully implement the recommendation, OPM needs to complete its efforts to ensure that it provides and tracks training for individuals with significant security responsibilities.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.

    Agency Affected: Office of Personnel Management

  14. Status: Open

    Priority recommendation

    Comments: OPM disagreed with this recommendation. Because of the importance of ensuring personally identifiable information is protected and our national IT systems are secure, we maintain that OPM should fully address this recommendation. In January 2018 OPM provided documentation supporting its security control assessments, but this information did not demonstrate that the agency was ensuring comprehensive testing of technical controls. We have requested further evidence showing assessment results and OPM's reviews of testing procedures. In December 2018, OPM told us it plans to provide this information by spring 2019.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should re-evaluate security control assessments to ensure that they comprehensively test technical controls.

    Agency Affected: Office of Personnel Management

  15. Status: Open

    Comments: OPM concurred with our recommendation. In March 2018, an OPM official stated that the office was in the process of migrating plans of action and milestones (POA&Ms) to a new automated system that will allow the source of funding to be included in these POA&Ms. As of March 2019, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OPM informing us that it has completed implementation, we plan to verify the agency's actions.

    Recommendation: To improve agency information security programs, Acting Director of the Office of Personnel Management should update remedial action plans for selected systems, to include source of funding and updated completion dates.

    Agency Affected: Office of Personnel Management

  16. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA updated the two system security plans to include all 83 security controls that are specific to high-impact systems.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented.

    Agency Affected: Department of Veterans Affairs

  17. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA is offering specialized courses for staff with significant security responsibilities, and is tracking staff members' completion of courses.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should provide and track specialized training for all individuals who have significant security responsibilities.

    Agency Affected: Department of Veterans Affairs

  18. Status: Open

    Comments: VA concurred with our recommendation. VA has conducted security control assessments for the two systems, but these assessments do not show that technical controls were comprehensively tested. As of March 2019, the agency has not provided evidence that it has implemented this recommendation. We are following up with the department.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should conduct security control assessments for the two selected systems and ensure the procedures comprehensively test technical controls.

    Agency Affected: Department of Veterans Affairs

  19. Status: Closed - Implemented

    Comments: VA concurred with our recommendation. In fiscal year 2018, we verified that VA is listing in its POA&Ms the estimated funding and the source of the funding. This action increases assurance that the agency will be able to efficiently address known information security weaknesses.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should update remedial action plans for selected systems, to include estimated funding and funding source.

    Agency Affected: Department of Veterans Affairs

  20. Status: Open

    Comments: VA concurred with our recommendation. The department provided information on its continuous monitoring strategy for information security, but the documents did not include specific descriptions of the metrics and how they are monitored and reported. As of March 2019, VA has not provided evidence that it has implemented this recommendation. We are following up with the department.

    Recommendation: To improve agency information security programs, the Secretary of the Department of Veterans should develop a continuous monitoring strategy that addresses organization-defined metrics, frequency of monitoring metrics, ongoing status monitoring of metrics, and reporting of security status.

    Agency Affected: Department of Veterans Affairs

  21. Status: Open

    Comments: OMB concurred with our recommendation. On December 9, 2016, OMB issued memorandum M-17-09, Management of Federal High Value Assets, which lists some existing policies and guidance and other actions that agencies need to take to protect IT assets. Further information is needed to validate implementation of the recommendation. As of March 2019, the agency has not provided evidence that it has implemented this recommendation. Subsequent to OMB informing us that it has completed implementation, we plan to verify the agency's actions.

    Recommendation: To improve security over federal systems, including those considered to be high impact, the Director of the Office of Management and Budget should issue plan and practices specified in the Cybersecurity Strategy and Implementation Plan.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Jul 18, 2019

Jun 14, 2019

Mar 27, 2019

Dec 20, 2018

Dec 18, 2018

Dec 6, 2018

Nov 13, 2018

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Looking for more? Browse all our products here