Information Security: Selected Departments Need to Address Challenges in Implementing Statutory Requirements
GAO-07-528
Published: Aug 31, 2007. Publicly Released: Oct 01, 2007.
Skip to Highlights
Highlights
The Federal Information Security Management Act of 2002 (FISMA) strengthened security requirements by, among other things, requiring federal agencies to establish programs to provide cost-effective security for information and information systems. In overseeing FISMA implementation, the Office of Management and Budget (OMB) has established supporting processes and reporting requirements. However, 4 years into implementation of the act, agencies have not yet fully implemented key provisions. In this context, GAO determined what challenges or obstacles inhibit the implementation of the information security provisions of FISMA at the Departments of Defense, Homeland Security, Justice, and State. To do this, GAO reviewed and analyzed department policies, procedures, and reports related to department information security programs and interviewed agency officials.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Department of State | The Secretary of State should direct State's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of State implemented an automated tool that outlines policies for testing and evaluation of security controls and contingency plans, and allows the department to track testing reports.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms. |
Closed – Implemented
In fiscal year 2011, GAO verified that the Department of Defense had issued an Instruction in November 2007 establishing a certification and accreditation process that required a Defense-wide configuration control and management process. GAO also verified that Defense had implemented plans, such as the Federal Desktop Core Configuration, to achieve full implementation of common security configurations across all system platforms.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to implement a mechanism to track information security training of personnel (i.e., security awareness and specialized training). |
Closed – Implemented
In fiscal year 2011, we verified that the Department of Defense issued an updated directive that described training objectives, including annual awareness training for all personnel, and specialized training for information assurance personnel. In addition, we verified that Defense has implemented an automated tool that enables the department to provide and track required training.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems. |
Closed – Implemented
In fiscal year 2011, we verified that the Department of Defense has substantially addressed weaknesses in security control testing policies. In addition, Defense implemented procedures to ensure that annual testing of security controls and contingency plans is conducted and recorded.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to complete development of the departmentwide remediation process and finalize the remediation guidance. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Defense had finalized the remediation process and guidance by issuing a Defense Instruction "Information Assurance Certification and Accreditation Process (DIACAP), in November 2007.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to ensure that all information systems receive a full authorization to operate, and to improve the department's certification and accreditation process. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Defense in its Defense Instruction "Information Assurance Certification and Accreditation Process (DIACAP), restricted use of interim authority to operate by limiting the number of days that such an authorization can operate. Additionally, DIACAP requires operational systems found to have weaknesses to include these weaknesses in plans of action and milestones so they may be remediated. DIACAP also includes instructions for improving Defense's certification and accreditation processes.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Homeland Security (DHS) issued a performance plan in 2008 that lists steps for strengthening configuration management at DHS and specifies deadlines and resources for achieving these steps.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to coordinate with Homeland Security's Office of Human Capital to finalize implementation of the centralized Web-based learning management system for tracking the information security training of personnel. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Homeland Security (DHS) has taken steps to finalize implementation of its centralized learning management system. Because this system did not track all DHS personnel, the department required all DHS components to report training totals to a Web-based, centralized compliance tool.
|
| Department of Justice | The Attorney General should direct the Department of Justice's CIO to develop and implement a plan with milestones to achieve full implementation of common security configurations across all system platforms. |
Closed – Implemented
In fiscal year 2011, we verified that the Department of Justice has issued a configuration management plan. In addition, Justice has implemented automated tools to ensure that department components adhere to configuration requirements.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to address the weaknesses in security control testing policies as described in this report, and ensure that components complete required annual security control and contingency plan testing on all systems. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Homeland Security (DHS) issued a performance plan in 2008 that strengthens policies for testing security controls. In addition, this plan includes verification and validation processes for security control and contingency plan testing.
|
| Department of Justice | The Attorney General should direct the Department of Justice's CIO to address the weaknesses in security control testing policies as described in this report. |
Closed – Implemented
In fiscal year 2011, we verified that the Department of Justice issued a security control assessment guide in 2009 that strengthens Justice's testing policies, including determining the depth and breadth of testing needed. In addition, we verified that Justice is conducting annual security assessments for all of its components.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Department of Homeland Security's CIO to determine whether the department's FISMA reporting tool meets the requirements of different users, such as those at components, and take any necessary corrective action. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Homeland Security's (DHS) Chief Information Officer had determined that the department's FISMA reporting tool, along with other tools for tracking actions taken to address weaknesses, meets the requirements of different DHS users. The CIO outlined processes in place for addressing the concerns of various DHS components regarding remediation tools.
|
| Department of Justice | The Attorney General should direct the Department of Justice's CIO to reconcile redundancies in the department's remediation plan tracking tool. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of Justice replaced the remediation tracking tool that contained redundant plans of action and milestones (POA&Ms) with another tracking tool, and ensured that duplicate versions of POA&Ms were removed.
|
| Department of State | The Secretary of State should direct State's Chief Information Officer (CIO) to improve mechanisms for tracking information security awareness training of personnel. |
Closed – Implemented
In fiscal year 2010, we verified that the Department of State was implementing an automated tool that tracks information security awareness training of personnel. State has also enhanced its review processes to determine that all users have completed this training.
|
| Department of Defense | The Secretary of Defense should direct the Department of Defense's CIO to develop and implement a plan with milestones to finalize and implement a departmentwide definition of a major information system that is accepted by the Defense Inspector General. |
Closed – Not Implemented
In fiscal year 2009, we verified that the Department of Defense did not take action on this recommendation. Defense did not concur with the recommendation, and stated that its current definition of a major information system satisfied department requirements and those of the Federal Information Security Management Act.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityEmployee trainingInformation securityInformation systemsInternal controlsTestingReporting requirementsRisk managementGovernment agency oversightProgram implementation