Critical Infrastructure Protection:
Fundamental Improvements Needed to Assure Security of Federal Operations
T-AIMD-00-7: Published: Oct 6, 1999. Publicly Released: Oct 6, 1999.
- Full Report:
Pursuant to a congressional request, GAO discussed the computer security aspects of critical infrastructure protection, focusing on federal agency performance in addressing computer security issues.
GAO noted that: (1) reports issued by GAO and various Inspectors General over the last 5 years describe persistent computer security weaknesses that place federal operations at risk of disruption, fraud, and inappropriate disclosures; (2) GAO's most recent analysis, of reports issued during fiscal year 1999, identified significant computer security weaknesses in 22 of the largest federal agencies; (3) these included weaknesses in: (a) controls over access to sensitive systems and data; (b) controls over software development and changes; and (c) continuity of service plans; (4) this body of audit evidence led GAO, in February 1997 and again in January 1999, to designate information security as a governmentwide high-risk area in reports to Congress; (5) while a number of factors have contributed to weak federal information security, the fundamental underlying problem is poor security program management; (6) weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis; (7) to provide greater assurance that critical infrastructure objectives can be met, GAO believes that actions are needed in seven key areas; (8) it is important that the federal strategy delineate the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; (9) agencies need more specific guidance on the controls that they need to implement; (10) implementing such standards for federal agencies would require developing: (a) a single set of information classification categories for use by all agencies to define the criticality and sensitivity of the various types of information they maintain; and (b) minimum mandatory requirements for protecting information in each classification category; (11) routine periodic audits must be implemented to allow for meaningful performance measurement; (12) it is important for agencies to have the technical expertise they need to select, implement, and maintain controls that protect their computer systems; (13) agencies must have resources sufficient to support their computer security and infrastructure protection activities; and (14) there is a need to more comprehensively monitor and develop responses to intrusions, viruses, and other incidents that threaten federal systems.