Information Security: Federal Agencies Need to Improve Controls over Wireless Networks
GAO-05-383
Published: May 17, 2005. Publicly Released: May 17, 2005.
Skip to Highlights
Highlights
The use of wireless networks is becoming increasingly popular. Wireless networks extend the range of traditional wired networks by using radio waves to transmit data to wireless-enabled devices such as laptops. They can offer federal agencies many potential benefits but they are difficult to secure. GAO was asked to study the security of wireless networks operating within federal facilities. This report (1) describes the benefits and challenges associated with securing wireless networks, (2) identifies the controls available to assist federal agencies in securing wireless networks, (3) analyzes the wireless security controls reported by each of the 24 agencies under the Chief Financial Officers (CFO) Act of 1990, and (4) assesses the security of wireless networks at the headquarters of six federal agencies in Washington, D.C.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with the Federal Information Security Management Act (FISMA). In particular, agencywide security programs should include robust policies for authorizing the use of the wireless networks, identifying requirements, and establishing security controls for wireless-enabled devices in accordance with National Institute of Standards and Technology guidance. |
Closed – Implemented
GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing wireless networking security policies, which includes criteria for identifying requirements and creating security controls.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include available security tools, such as encryption, authentication, virtual private networks, and firewalls. |
Closed – Implemented
GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing wireless client device security. NIST Guidance states organizations should consider security tools such as personal firewall and host-based intrusion detection and prevention system for the protection of wireless client devices.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include placement and strength of wireless access points to minimize signal leakage. |
Closed – Implemented
GAO has verified that as of December 2007 that OMB, in response to our recommendation, has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing access point configuration and awareness of access point security concerns.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include physical protection of wireless-enabled devices. |
Closed – Implemented
GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications, 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks and 800-53: Information Security, provides guidance on the physical protection of wireless devices; such as establishing usage restrictions and implementation guidance for organization-controlled portable and mobile devices.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to detect signal leakage. |
Closed – Implemented
GAO has verified that as of December 2007 OMB, in response to our recommendation, has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks provides criteria for conducting site surveys, which describes the use of appropriate wall-mounted antennas to minimize signal leakage.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to ensure compliance with configuration requirements. |
Closed – Implemented
GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks provides criteria for conducting site surveys, which describes the need for network administrators to ensure client devices are properly configured and comply with implemented Wireless Local Area Network (WLAN) policies.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to ensure only authorized access and use of wireless networks. |
Closed – Implemented
GAO has verified that as of December 2007, in response to our recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks and 800-97: Establishing Wireless Robust Security Networks, provides criteria for conducting site surveys, which describes physical access controls and proper locations for access points.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to identify unauthorized wireless-enabled devices and activities in the agency's facilities. |
Closed – Implemented
GAO has verified that as of December 2007, in response to our recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-97: Establishing Wireless Robust Security Networks, provides criteria for conducting site surveys, which describes the need for wireless intrusion detection systems to detect suspicious or unauthorized wireless-enabled devices and activity.
|
| Office of Management and Budget | Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include wireless security training for employees and contractors. |
Closed – Implemented
GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications 800800-53: Information Security and 800-97: Establishing Wireless Robust Security Networks, provides guidance on wireless security training for employees and contractors; which describes security awareness and training policy and procedures to mitigate risks.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer network protocolsComputer networksComputer securityComputer security policiesInformation securityInformation technologyInternal controlsLaptopsRegulatory agenciesSecurity policiesStrategic planningWireless networksPolicies and proceduresSecurity standards