Over the past several years, federal agencies have rapidly adopted the use of wireless technologies for their information systems. In a 2005 report, GAO recommended that the Office of Management and Budget (OMB), in its role overseeing governmentwide information security, take several steps to help agencies better secure their wireless networks. GAO was asked to update its prior report by (1) identifying leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks and (2) assessing agency efforts to secure wireless networks, including their vulnerability to attack. To do so, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these 5 agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration.
Recommendations for Executive Action
|Office of Management and Budget||1. To improve governmentwide oversight of wireless security practices, the Director of OMB, in consultation with the Secretary of Homeland Security, should include metrics related to wireless security as part of the Federal Information Security Management Act (FISMA) reporting process.|
|Office of Management and Budget||2. To improve governmentwide oversight of wireless security practices, the Director of OMB, in consultation with the Secretary of Homeland Security, should develop the scope and specific time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs.|
|Department of Commerce||3. The Secretary of Commerce should instruct the Director of NIST to develop and issue guidelines in the following four areas: (1) technical steps agencies can take to mitigate the risk of dual connected laptops, (2) governmentwide secure configurations for wireless functionality on laptops and for smartphones such as BlackBerries, (3) appropriate ways agencies can centralize their management of wireless technologies based on business need, and (4) criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and recommendations for when continuous monitoring of wireless networks may be appropriate.|