Critical Infrastructure Protection:

Fundamental Improvements Needed to Assure Security of Federal Operations

T-AIMD-00-7: Published: Oct 6, 1999. Publicly Released: Oct 6, 1999.

Additional Materials:


Jack L. Brock, Jr
(202) 512-4841


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO discussed the computer security aspects of critical infrastructure protection, focusing on federal agency performance in addressing computer security issues.

GAO noted that: (1) reports issued by GAO and various Inspectors General over the last 5 years describe persistent computer security weaknesses that place federal operations at risk of disruption, fraud, and inappropriate disclosures; (2) GAO's most recent analysis, of reports issued during fiscal year 1999, identified significant computer security weaknesses in 22 of the largest federal agencies; (3) these included weaknesses in: (a) controls over access to sensitive systems and data; (b) controls over software development and changes; and (c) continuity of service plans; (4) this body of audit evidence led GAO, in February 1997 and again in January 1999, to designate information security as a governmentwide high-risk area in reports to Congress; (5) while a number of factors have contributed to weak federal information security, the fundamental underlying problem is poor security program management; (6) weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis; (7) to provide greater assurance that critical infrastructure objectives can be met, GAO believes that actions are needed in seven key areas; (8) it is important that the federal strategy delineate the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; (9) agencies need more specific guidance on the controls that they need to implement; (10) implementing such standards for federal agencies would require developing: (a) a single set of information classification categories for use by all agencies to define the criticality and sensitivity of the various types of information they maintain; and (b) minimum mandatory requirements for protecting information in each classification category; (11) routine periodic audits must be implemented to allow for meaningful performance measurement; (12) it is important for agencies to have the technical expertise they need to select, implement, and maintain controls that protect their computer systems; (13) agencies must have resources sufficient to support their computer security and infrastructure protection activities; and (14) there is a need to more comprehensively monitor and develop responses to intrusions, viruses, and other incidents that threaten federal systems.

Mar 1, 2021

Feb 26, 2021

Feb 25, 2021

Feb 23, 2021

Feb 19, 2021

Feb 12, 2021

Feb 3, 2021

Feb 2, 2021

Jan 28, 2021

Jan 25, 2021

Looking for more? Browse all our products here